Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-24 Thread Gary McKinney
Arnauld,

It almost looks like something in the supplicant is not configured properly
to use the certificate sent from the server during the handshake phase... I
have attached a copy of some of my notes (written to myself so some of the
meaning in the notes may not be exactly correct - but heck - they were for
me anyway [grin]) that show a EAP/TTLS session negotiation...

Take a look and compare to what you are doing to see if you can determine
where things are going off the deep end... I would suggest setting up
testing for EAP/TTLS in a simple configuration for user authorization
first - then fold in the Ldap authorization

Hope this helps

gm...

- Original Message - 
From: Arnauld Dravet [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, June 23, 2004 8:40 AM
Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)


  Have you looked at the make output from the compile to see if there
are
  any error or warning messages?

 yep it was my fault i have openssl 0.9.6 and 0.9.7 installed for
certificate
 generation, and of course i forgot to link freeradius-cvs against 0.9.7 =)
works
 much better now, at least radiusd is launching.

 But, still have a prob during TLS init (i'm trying to setup a TTLS
connection):

 The client (Aegis - WinXP) is configured in TTLS Auth + MS-CHAP-V2
tunneled
 protocol. Seems like i got a problem with certificates, but i don't
understand
 why since i'm not supposed to have one on the client-side ..

 Here is the output, sorry if a bit long:



 rad_recv: Access-Request packet from host 192.168.6.3:1794, id=79,
length=242
 NAS-IP-Address = 192.168.6.3
 NAS-Port-Type = Wireless-802.11
 NAS-Port = 5
 Framed-MTU = 1400
 User-Name = arnauld.dravet
 Calling-Station-Id = 00904b625711
 Called-Station-Id = 000d54fc1807
 NAS-Identifier = EPSI AP1
 State = 0xfdd7e79f9bbab3286563325da5e5199a
 EAP-Message =

0x0203006a15800060160301005b0157030140d9772aeddf802406fe3f32167240a3
35e4

99126e92bb2f0423691ebb49fad93000390038003500160013000a00330032002f006600
0500
 040065006400630062006000150012000900140011000800030100
 Message-Authenticator = 0xfdb7fe56ea406a82a82906e64a1951a2
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 2
   modcall[authorize]: module preprocess returns ok for request 2
   modcall[authorize]: module chap returns noop for request 2
   modcall[authorize]: module mschap returns noop for request 2
 rlm_realm: No '@' in User-Name = arnauld.dravet, looking up realm
NULL
 rlm_realm: No such realm NULL
   modcall[authorize]: module suffix returns noop for request 2
   rlm_eap: EAP packet type response id 3 length 106
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module eap returns updated for request 2
   modcall[authorize]: module files returns notfound for request 2
 rlm_ldap: - authorize
 rlm_ldap: performing user authorization for arnauld.dravet
 radius_xlat:  '((objectclass=posixAccount)(uid=arnauld.dravet))'
 radius_xlat:  'ou=Users,dc=mtp,dc=epsi,dc=fr'
 rlm_ldap: ldap_get_conn: Checking Id: 0
 rlm_ldap: ldap_get_conn: Got Id: 0
 rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
 ((objectclass=posixAccount)(uid=arnauld.dravet))
 rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items
 rlm_ldap: looking for check items in directory...
 rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX  op=21
 rlm_ldap: Adding ntPassword as NT-Password, value
 EFAC11B52777F8D7A34BDC1A0F89228D  op=21
 rlm_ldap: Adding lmPassword as LM-Password, value
 136BE46417241D68AAD3B435B51404EE  op=21
 rlm_ldap: looking for reply items in directory...
 rlm_ldap: user arnauld.dravet authorized to use remote access
 rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module ldap returns ok for request 2
 modcall: group authorize returns updated for request 2
   rad_check_password:  Found Auth-Type EAP
 auth: type EAP
   Processing the authenticate section of radiusd.conf
 modcall: entering group authenticate for request 2
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/ttls
   rlm_eap: processing type ttls
   rlm_eap_ttls: Authenticate
   rlm_eap_tls: processing TLS
 rlm_eap_tls:  Length Included
   eaptls_verify returned 11
 (other): before/accept initialization
 TLS_accept: before/accept initialization
 TLS_accept: SSLv3 read client hello A
 TLS_accept: SSLv3 write server hello A
 TLS_accept: SSLv3 write certificate A
 TLS_accept: SSLv3 write key exchange A
 TLS_accept: SSLv3 write server done A
 TLS_accept: SSLv3 flush data
 TLS_accept:error in SSLv3 read client certificate A
 In SSL Handshake Phase
 In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module eap returns handled for request 2
 modcall: group authenticate returns handled for request

Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-23 Thread Gary McKinney
Hi Arnauld,

Have you looked at the make output from the compile to see if there are
any error or warning messages?  It sounds like either there is an error in
the latest CVS stopping the compilation of modules (most likely not) or
something is missing the compilation requires - from the sounds of it I
am wondering if the OpenSSL version is the correct version - you do have
the latest (greater than 0.9.7) of OpenSSL installed??? ( I don't install
a binary but instead download the source and compile on my machine -
seems some of the binarys out there don't install all of the pieces needed
to compile parts of freeradius (header files, libs, ect.).

I would first look at the messages thrown out by the make command to
and the configure command to see if something flags a problem...

Just some thoughts...

gm..

- Original Message - 
From: Arnauld Dravet [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, June 23, 2004 6:18 AM
Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)


i really can't get CVS to work. Compiles fine, but i tried several cvs
versions
and i got that at startup:

Module: Instantiated unix (unix)
radiusd.conf[9] Failed to link to module 'rlm_eap': file not found
[EMAIL PROTECTED]:/usr/local/freeradius-cvs#

don't know if i can use the rlm_eap module from the non-cvs version.


-- 
Arnauld Dravet



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]


---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-23 Thread Gary McKinney
Mack,

TTLS is not in 0.9.3 version - you have to use the 1.0.0-pre version to get
TTLS
support.

The nice thing about TTLS is the fact the client security certificate is
optional!
Makes it much easier to deploy if you have a good number of clients or you
don't have access to the wireless devices to install said certificates.

Glad to see you are gaining some insight into the wonderful world of
hi-security
wireless access [grin].  It is rather complicated but MUCH better protecting
the
content of the link vs WEP...

gm...

- Original Message - 
From: Mack [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 22, 2004 3:53 PM
Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)


 Gary  Alan,

 Thanks guys.  Sorry for being so stupid about all of this, but thanks to
ya'll and the
 reading that I've done is this short period of time, I have learned a
great deal about
 how this stuff works.

 When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just
on the
 server-side, not the client (am I right?).  I think that TTLS will be a
better fit as it
 seems to support more methods, and PEAP seems to be strickly a MS thing.
I
 actually got the PEAP working now, though, thanks to your direction.

 I'll look into demoing third party clients.  Know of any free ones,
though?

 It looks like maybe the 0.9.3 version of freeradius does not support TTLS.
Is this
 correct?  If so, does the CVS version include support?  Sorry if this,
too, is
 documented somewhere, but I just thought I'd ask while I was here.

 Thanks for the help!

 mack



 On 22 Jun 2004 at 12:37, Gary McKinney wrote:

  Mack,
 
  Take a look at the following URL:
 
  http://3w.denobula.com:5/EAPTLS.pdf
 
  It may be a little dated but all of the info is still relevent... one
  thing to take notice of is there is NO user password exchanged as
  EAP/TLS does not use a user's password for authentication - that chore
  is handled by the fact the supplicant contains a VALID user
  certificate the server recognizes.
 
  I think the above is what Alan is trying to convey to you - you can
  not use EAP/TLS and LDAP together as there is NO user password
  exchanged between the supplicant and Freeradius (or any other radius
  server) in that mode.  If you are looking to use LDAP and a very
  secure method for the link between the client and the AP you will have
  to use a different method (PEAP or EAP/TTLS come to mind)...
 
  You may want to check out other supplicant software (if you are
  thinking of using the EAP/TTLS method you may want to check out the
  Odyssey Supplicant software from Funk Software (they are the one's who
  came up with TTLS and are working on a RFC to that effect).
 
  I may not have stated all of the above totally correctly but you
  should get the basic meaning [grin]...
 
  There are several RFC's that come with the freeradius package - I
  would strongly suggest reading them as they are the basis for all the
  different protocols and authentication methods Alan and company have
  based the Freeradius software against ( I think )
 
  I hope the above information is helpful and taken in the manner in
  which it was meant (to be informative and helpful)...
 
  gm...
 
 
  -- Original Message --
  From: Mack [EMAIL PROTECTED]
  Reply-To: [EMAIL PROTECTED]
  Date:  Tue, 22 Jun 2004 12:02:33 -0400
 
  Alan,
  
  At your request, I'll try to reformat this so that it is presented as
  a problem/challenge rather than a why doesn't my solution work
  post:
  
  Problem:
  My AP is a 3com 7250.  It requires that you enable 802.1x on itself,
  the client, and the radius server if you want to use the radius
  server as the authentication server.  My understanding is that
  802.1x requires EAP-something.  I chose EAP-TLS because my client is
  stock XP and my understanding is that EAP-TLS is my only option with
  that client.
  
  My boss asked me if it was possible to authenticate our wireless
  users against Novell's eDirectory (LDAP).  He did not specifically
  require 802.1x/EAP-anything.  The only reason I'm using 802.1x/EAP is
  because the AP requires it.
  
  I have successfully implemented EAP-TLS authentication between the
  client, AP, and freeradius.  Now I am attempting to add LDAP
  authentication, but have not been successful.
  
  I can provide any configs/logs if needed.
  
  Solution:
  None so far.  Anyone have any suggestions/comments?  What would ya'll
  do in my position?
  
  thanks,
  mack
  
  
  
  On 21 Jun 2004 at 23:52, Alan DeKok wrote:
  
   Mack [EMAIL PROTECTED] wrote:
My AP requires that I enable 802.1x in order to use RADIUS
authentication.  So, I figured I'd use EAP-TLS.
  
 Are you picking it at random, or are youi looking at the features
 it
   offers, and using your requirements to decide on a solution?
  
 I'm just testing now...using an XP client, so I chose to use
EAP-TLS.  I want to use LDAP

Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-23 Thread Arnauld Dravet
 Have you looked at the make output from the compile to see if there are
 any error or warning messages?  

yep it was my fault i have openssl 0.9.6 and 0.9.7 installed for certificate 
generation, and of course i forgot to link freeradius-cvs against 0.9.7 =) works 
much better now, at least radiusd is launching.

But, still have a prob during TLS init (i'm trying to setup a TTLS connection):

The client (Aegis - WinXP) is configured in TTLS Auth + MS-CHAP-V2 tunneled 
protocol. Seems like i got a problem with certificates, but i don't understand 
why since i'm not supposed to have one on the client-side ..

Here is the output, sorry if a bit long:



rad_recv: Access-Request packet from host 192.168.6.3:1794, id=79, length=242
NAS-IP-Address = 192.168.6.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 5
Framed-MTU = 1400
User-Name = arnauld.dravet
Calling-Station-Id = 00904b625711
Called-Station-Id = 000d54fc1807
NAS-Identifier = EPSI AP1
State = 0xfdd7e79f9bbab3286563325da5e5199a
EAP-Message = 
0x0203006a15800060160301005b0157030140d9772aeddf802406fe3f32167240a335e4
99126e92bb2f0423691ebb49fad93000390038003500160013000a00330032002f0066000500
040065006400630062006000150012000900140011000800030100
Message-Authenticator = 0xfdb7fe56ea406a82a82906e64a1951a2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module preprocess returns ok for request 2
  modcall[authorize]: module chap returns noop for request 2
  modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '@' in User-Name = arnauld.dravet, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 2
  rlm_eap: EAP packet type response id 3 length 106
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated for request 2
  modcall[authorize]: module files returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for arnauld.dravet
radius_xlat:  '((objectclass=posixAccount)(uid=arnauld.dravet))'
radius_xlat:  'ou=Users,dc=mtp,dc=epsi,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter 
((objectclass=posixAccount)(uid=arnauld.dravet))
rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX  op=21
rlm_ldap: Adding ntPassword as NT-Password, value 
EFAC11B52777F8D7A34BDC1A0F89228D  op=21
rlm_ldap: Adding lmPassword as LM-Password, value 
136BE46417241D68AAD3B435B51404EE  op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user arnauld.dravet authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
TLS_accept: SSLv3 read client hello A
TLS_accept: SSLv3 write server hello A
TLS_accept: SSLv3 write certificate A
TLS_accept: SSLv3 write key exchange A
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module eap returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 79 to 192.168.6.3:1794
EAP-Message = 
0x0104040a15c00761160301004a0246030140d97726d7480866aec454ff67f74505234d
669e72f26ff753fef0269dcb813e20bcf69fe6863b9922dec0ccf8b178896627f9e78227c3b38356
951ec41fafef6000160016030105f20b0005ee0005eb00028e3082028a308201f3a0030201020201
02300d06092a864886f70d0101040500307f310b30090603550406130246523110300e0603550408
130748657261756c74311430120603550407130b4d6f6e7470656c6c6965723111300f060355040a
130845505349204d5450311330110603550403130a776973686d61737465723120301e06092a8648
86f70d010901161161646d696e40
EAP-Message = 
0x6d74702e657073692e6672301e170d3034303632323136303934335a170d303530363232313630
3934335a307e310b30090603550406130246523110300e0603550408130748657261756c74311430
120603550407130b4d6f6e7470656c6c6965723111300f060355040a130845505349204d54503110

Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-23 Thread Arnauld Dravet
Update of the previous mail: when i choose on the client to not validate the 
server certificate chain, radius crashes when opening the TTLS tunnel:

rlm_ldap: user arnauld.dravet authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 20
modcall: group authorize returns updated for request 20
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 20
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
Segmentation fault
[EMAIL PROTECTED]:/usr/local/freeradius-cvs#



-- 
Arnauld Dravet




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread Mack
Alan,

At your request, I'll try to reformat this so that it is presented as a 
problem/challenge 
rather than a why doesn't my solution work post:

Problem:
My AP is a 3com 7250.  It requires that you enable 802.1x on itself, the client, and 
the radius server if you want to use the radius server as the authentication server. 
 
My understanding is that 802.1x requires EAP-something.  I chose EAP-TLS 
because my client is stock XP and my understanding is that EAP-TLS is my only 
option with that client.

My boss asked me if it was possible to authenticate our wireless users against 
Novell's eDirectory (LDAP).  He did not specifically require 802.1x/EAP-anything.  
The only reason I'm using 802.1x/EAP is because the AP requires it.

I have successfully implemented EAP-TLS authentication between the client, AP, 
and freeradius.  Now I am attempting to add LDAP authentication, but have not 
been successful.

I can provide any configs/logs if needed.

Solution:
None so far.  Anyone have any suggestions/comments?  What would ya'll do in my 
position?

thanks,
mack



On 21 Jun 2004 at 23:52, Alan DeKok wrote:

 Mack [EMAIL PROTECTED] wrote:
  My AP requires that I enable 802.1x in order to use RADIUS
  authentication.  So, I figured I'd use EAP-TLS.
 
   Are you picking it at random, or are youi looking at the features it
 offers, and using your requirements to decide on a solution?
 
   I'm just testing now...using an XP client, so I chose to use
  EAP-TLS.  I want to use LDAP because that's where our userbase is
  stored (Novell eDirectory).  The idea is to authenticate users via
  LDAP.
 
   I thought I had been pretty clear in my response: EAP-TLS and LDAP
 are mutually incompatible.  Stop trying to get them to work togerther.
 
   I'm only using EAP-TLS because the AP won't let me use RADIUS
  otherwise.  Of course, I'm such a newbie that I'm probably getting
  it all wrong.  That's where I was hoping the list would help.
 
   You should ask about how to solve a problem, rather than asking why
 the solution you chose didn't work.
 
  If you were given my task, how would you go about implementing this?
 
   I told you.  Go back and read my message.
 
   If you could describe a problem, I might be able to come up with an
 alternate solution.
 
   Alan DeKok.
 
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -- 
 This message has been scanned for viruses and
 dangerous content by the CSU Email Gateway, and is
 believed to be clean.
 



-- 
This message has been scanned for viruses and
dangerous content by the CSU Email Gateway, and is
believed to be clean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread Alan DeKok
Mack [EMAIL PROTECTED] wrote:
 I have successfully implemented EAP-TLS authentication between the
 client, AP, and freeradius.  Now I am attempting to add LDAP
 authentication, but have not been successful.

  Because it's impossible.  EAP-TLS provides *nothing* with which to
do LDAP authentication.  There are no passwords or *anything* carried
inside of EAP-TLS.  The most you can do is verify that the person
using EAP-TLS has an entry in the LDAP database.

  Use EAP-TTLS, or PEAP.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread Gary McKinney
Mack,

Take a look at the following URL:

http://3w.denobula.com:5/EAPTLS.pdf

It may be a little dated but all of the info is still relevent... one thing to take 
notice of is
there is NO user password exchanged as EAP/TLS does not use a user's password
for authentication - that chore is handled by the fact the supplicant contains a VALID
user certificate the server recognizes.

I think the above is what Alan is trying to convey to you - you can not use EAP/TLS 
and LDAP together as there is NO user password exchanged between the supplicant and
Freeradius (or any other radius server) in that mode.  If you are looking to use LDAP 
and
a very secure method for the link between the client and the AP you will have to use a
different method (PEAP or EAP/TTLS come to mind)...

You may want to check out other supplicant software (if you are thinking of using the
EAP/TTLS method you may want to check out the Odyssey Supplicant software from
Funk Software (they are the one's who came up with TTLS and are working on a RFC
to that effect).

I may not have stated all of the above totally correctly but you should get the basic 
meaning [grin]...

There are several RFC's that come with the freeradius package - I would strongly 
suggest
reading them as they are the basis for all the different protocols and authentication 
methods
Alan and company have based the Freeradius software against ( I think )

I hope the above information is helpful and taken in the manner in which it was meant 
(to be 
informative and helpful)...

gm...


-- Original Message --
From: Mack [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Tue, 22 Jun 2004 12:02:33 -0400

Alan,

At your request, I'll try to reformat this so that it is presented as a 
problem/challenge 
rather than a why doesn't my solution work post:

Problem:
My AP is a 3com 7250.  It requires that you enable 802.1x on itself, the client, and 
the radius server if you want to use the radius server as the authentication 
server.  
My understanding is that 802.1x requires EAP-something.  I chose EAP-TLS 
because my client is stock XP and my understanding is that EAP-TLS is my only 
option with that client.

My boss asked me if it was possible to authenticate our wireless users against 
Novell's eDirectory (LDAP).  He did not specifically require 802.1x/EAP-anything.  
The only reason I'm using 802.1x/EAP is because the AP requires it.

I have successfully implemented EAP-TLS authentication between the client, AP, 
and freeradius.  Now I am attempting to add LDAP authentication, but have not 
been successful.

I can provide any configs/logs if needed.

Solution:
None so far.  Anyone have any suggestions/comments?  What would ya'll do in my 
position?

thanks,
mack



On 21 Jun 2004 at 23:52, Alan DeKok wrote:

 Mack [EMAIL PROTECTED] wrote:
  My AP requires that I enable 802.1x in order to use RADIUS
  authentication.  So, I figured I'd use EAP-TLS.
 
   Are you picking it at random, or are youi looking at the features it
 offers, and using your requirements to decide on a solution?
 
   I'm just testing now...using an XP client, so I chose to use
  EAP-TLS.  I want to use LDAP because that's where our userbase is
  stored (Novell eDirectory).  The idea is to authenticate users via
  LDAP.
 
   I thought I had been pretty clear in my response: EAP-TLS and LDAP
 are mutually incompatible.  Stop trying to get them to work togerther.
 
   I'm only using EAP-TLS because the AP won't let me use RADIUS
  otherwise.  Of course, I'm such a newbie that I'm probably getting
  it all wrong.  That's where I was hoping the list would help.
 
   You should ask about how to solve a problem, rather than asking why
 the solution you chose didn't work.
 
  If you were given my task, how would you go about implementing this?
 
   I told you.  Go back and read my message.
 
   If you could describe a problem, I might be able to come up with an
 alternate solution.
 
   Alan DeKok.
 
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -- 
 This message has been scanned for viruses and
 dangerous content by the CSU Email Gateway, and is
 believed to be clean.
 



-- 
This message has been scanned for viruses and
dangerous content by the CSU Email Gateway, and is
believed to be clean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]


 

 

Sent via the KillerWebMail system at mail.brev.org


 
   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread Mack
Gary  Alan,

Thanks guys.  Sorry for being so stupid about all of this, but thanks to ya'll and the 
reading that I've done is this short period of time, I have learned a great deal about 
how this stuff works.

When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just on the 
server-side, not the client (am I right?).  I think that TTLS will be a better fit as 
it 
seems to support more methods, and PEAP seems to be strickly a MS thing.  I 
actually got the PEAP working now, though, thanks to your direction.

I'll look into demoing third party clients.  Know of any free ones, though?

It looks like maybe the 0.9.3 version of freeradius does not support TTLS.  Is this 
correct?  If so, does the CVS version include support?  Sorry if this, too, is 
documented somewhere, but I just thought I'd ask while I was here.

Thanks for the help!

mack



On 22 Jun 2004 at 12:37, Gary McKinney wrote:

 Mack,
 
 Take a look at the following URL:
 
 http://3w.denobula.com:5/EAPTLS.pdf
 
 It may be a little dated but all of the info is still relevent... one
 thing to take notice of is there is NO user password exchanged as
 EAP/TLS does not use a user's password for authentication - that chore
 is handled by the fact the supplicant contains a VALID user
 certificate the server recognizes.
 
 I think the above is what Alan is trying to convey to you - you can
 not use EAP/TLS and LDAP together as there is NO user password
 exchanged between the supplicant and Freeradius (or any other radius
 server) in that mode.  If you are looking to use LDAP and a very
 secure method for the link between the client and the AP you will have
 to use a different method (PEAP or EAP/TTLS come to mind)...
 
 You may want to check out other supplicant software (if you are
 thinking of using the EAP/TTLS method you may want to check out the
 Odyssey Supplicant software from Funk Software (they are the one's who
 came up with TTLS and are working on a RFC to that effect).
 
 I may not have stated all of the above totally correctly but you
 should get the basic meaning [grin]...
 
 There are several RFC's that come with the freeradius package - I
 would strongly suggest reading them as they are the basis for all the
 different protocols and authentication methods Alan and company have
 based the Freeradius software against ( I think )
 
 I hope the above information is helpful and taken in the manner in
 which it was meant (to be informative and helpful)...
 
 gm...
 
 
 -- Original Message --
 From: Mack [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date:  Tue, 22 Jun 2004 12:02:33 -0400
 
 Alan,
 
 At your request, I'll try to reformat this so that it is presented as
 a problem/challenge rather than a why doesn't my solution work
 post:
 
 Problem:
 My AP is a 3com 7250.  It requires that you enable 802.1x on itself,
 the client, and the radius server if you want to use the radius
 server as the authentication server.  My understanding is that
 802.1x requires EAP-something.  I chose EAP-TLS because my client is
 stock XP and my understanding is that EAP-TLS is my only option with
 that client.
 
 My boss asked me if it was possible to authenticate our wireless
 users against Novell's eDirectory (LDAP).  He did not specifically
 require 802.1x/EAP-anything.  The only reason I'm using 802.1x/EAP is
 because the AP requires it.
 
 I have successfully implemented EAP-TLS authentication between the
 client, AP, and freeradius.  Now I am attempting to add LDAP
 authentication, but have not been successful.
 
 I can provide any configs/logs if needed.
 
 Solution:
 None so far.  Anyone have any suggestions/comments?  What would ya'll
 do in my position?
 
 thanks,
 mack
 
 
 
 On 21 Jun 2004 at 23:52, Alan DeKok wrote:
 
  Mack [EMAIL PROTECTED] wrote:
   My AP requires that I enable 802.1x in order to use RADIUS
   authentication.  So, I figured I'd use EAP-TLS.
  
Are you picking it at random, or are youi looking at the features
it
  offers, and using your requirements to decide on a solution?
  
I'm just testing now...using an XP client, so I chose to use
   EAP-TLS.  I want to use LDAP because that's where our userbase is
   stored (Novell eDirectory).  The idea is to authenticate users
   via LDAP.
  
I thought I had been pretty clear in my response: EAP-TLS and
LDAP
  are mutually incompatible.  Stop trying to get them to work
  togerther.
  
I'm only using EAP-TLS because the AP won't let me use RADIUS
   otherwise.  Of course, I'm such a newbie that I'm probably
   getting it all wrong.  That's where I was hoping the list would
   help.
  
You should ask about how to solve a problem, rather than asking
why
  the solution you chose didn't work.
  
   If you were given my task, how would you go about implementing
   this?
  
I told you.  Go back and read my message.
  
If you could describe a problem, I might be able to come up with
 

Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread Arnauld Dravet
 It looks like maybe the 0.9.3 version of freeradius does not support TTLS. 
 Is this 
 correct?  If so, does the CVS version include support?  Sorry if this, too,
 is 
 documented somewhere, but I just thought I'd ask while I was here.

I grabbed  compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and 
it crashes when i launch radiusd, saying that it can't find the rlm_eap module .
..

Anyway, just for my information (still trying to get my auth working ..) are you 
using a supplicant like aegis, or just the one provided with your wifi card ? In 
my case, i used the dell drivers, freeradius 0.9.3, and got strange things 
during ssl initialisation. can'tg et the logs right now though ..

-- 
Arnauld Dravet




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread dennis rex
On Tue, 2004-06-22 at 12:53, Mack wrote:

 I'll look into demoing third party clients.  Know of any free ones, though?

Mack,

While buying all new client cards is probably not an option, buying one
for testing may be. ZyXEL offers a free version of both the Funk and
Meetinghouse supplicants which work only with their ZyAIR clients.  The
B-100 (a re-badge of the same OEM as a Linksys WPC-11) is about $30 from
Provantage.  The client s/w is on ZyXEL's ftp site.

I've used both for EAP-TLS with 0.93 on XP, W2K and W98 and the
Meetinghouse client on Linux.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread Mack
Arnauld,

I am still making sure my configs are okay before starting up the CVS version.  Will 
let you know how it goes.

I am using the drivers provided by 3COM for my wireless nic, which is a 
3CRPAG175a really nice a/b/g card with an xjack antenna.

My supplicant is whatever comes stock with XP, plus whatever Windows Update 
offers on top of that (service packs, recommended update related to wireless, etc.)  I 
did not see any, nor would I recommend using, drivers from the windows update site.

I don't think a supplicant/client was shipped with my card, but to be honest I did not 
look very hard.  I'm just playing with the XP supplicant right now, but will look at 
third-
party next (like Odyssey (Funk), etc.) since they should support TTLS.  I think the 
Window XP supplicant will work with PEAP, but not TTLS (someone correct me if I'm 
wrong).

This is my first attempt at anything wireless (as you may have noticed by my previous 
posts), so I haven't had much experience with the various supplicants out there.  I 
think you can get a fully working demo of Odyssey (double check that) from Funk 
Software...it's supposed to do TTLS, plus some other cool stuff with Novell Client 
signons.  We'll see.

I'll let you know how my TTLS efforts go with the CVS version.  BTW...are you also 
attempting Novell LDAP with TTLS?

later,
mack

On 22 Jun 2004 at 22:14, Arnauld Dravet wrote:

  It looks like maybe the 0.9.3 version of freeradius does not support
  TTLS. Is this correct?  If so, does the CVS version include support?
   Sorry if this, too, is documented somewhere, but I just thought I'd
  ask while I was here.
 
 I grabbed  compiled the CVS few hours ago in the goal to make
 TTLS+mschapv2 and it crashes when i launch radiusd, saying that it
 can't find the rlm_eap module . ..
 
 Anyway, just for my information (still trying to get my auth working
 ..) are you using a supplicant like aegis, or just the one provided
 with your wifi card ? In my case, i used the dell drivers, freeradius
 0.9.3, and got strange things during ssl initialisation. can'tg et the
 logs right now though ..
 
 -- 
 Arnauld Dravet
 
 
 
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -- 
 This message has been scanned for viruses and
 dangerous content by the CSU Email Gateway, and is
 believed to be clean.
 



-- 
This message has been scanned for viruses and
dangerous content by the CSU Email Gateway, and is
believed to be clean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread Arnauld Dravet
I'm also a total newbie in wifi world =) spent 4 days on this auth thing and 
can't get it to work yet ..
i'm not using Novell LDAP, it's an openldap with all our users infos in it: 
windows passwords without the 0x in front of the passwords (tried to add it 
manually, result is that i can't log in on a workstation after that), and unix 
encrypted passwords.

I'll test the Aegis supplicant tomorrow, will post the results ..


 This is my first attempt at anything wireless (as you may have noticed by my
 previous 
 posts), so I haven't had much experience with the various supplicants out
 there.  I 
 think you can get a fully working demo of Odyssey (double check that) from
 Funk 
 Software...it's supposed to do TTLS, plus some other cool stuff with Novell
 Client 
 signons.  We'll see.
 
 I'll let you know how my TTLS efforts go with the CVS version.  BTW...are you
 also 
 attempting Novell LDAP with TTLS?
 
 later,
 mack

-- 
Arnauld Dravet



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-22 Thread Mack
Arnauld,

About your runtime error...

I'm getting this one:

Failed to link to module 'rlm_exec': rlm_exec.a:  cannot open shared object file:  No 
such file or directory

This happens straight out of the box, running radiusd -X...no configuration changes 
made yet (testing if it runs).  I'm running the latest cvs shapshot, 20040622, on a 
gentoo linux system.  Did a standard ./configure, make, make install, with no 
errors.  
Strange...if I comment exec in the instantiate section of radiusd.conf, it then 
gives 
me the same error but this time with rlm_expr.a.

Anyone have any clues what's going on?

thanks


On 22 Jun 2004 at 22:14, Arnauld Dravet wrote:

  It looks like maybe the 0.9.3 version of freeradius does not support
  TTLS. Is this correct?  If so, does the CVS version include support?
   Sorry if this, too, is documented somewhere, but I just thought I'd
  ask while I was here.
 
 I grabbed  compiled the CVS few hours ago in the goal to make
 TTLS+mschapv2 and it crashes when i launch radiusd, saying that it
 can't find the rlm_eap module . ..
 
 Anyway, just for my information (still trying to get my auth working
 ..) are you using a supplicant like aegis, or just the one provided
 with your wifi card ? In my case, i used the dell drivers, freeradius
 0.9.3, and got strange things during ssl initialisation. can'tg et the
 logs right now though ..
 
 -- 
 Arnauld Dravet
 
 
 
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -- 
 This message has been scanned for viruses and
 dangerous content by the CSU Email Gateway, and is
 believed to be clean.
 



-- 
This message has been scanned for viruses and
dangerous content by the CSU Email Gateway, and is
believed to be clean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-21 Thread Gary McKinney
Mack,

I Was not trying to blow you off by making the statement of reading the
archives... I
am still, what I consider, a newbie as well...

The statement about a lot of discussion on the subject you are requesting is
true so I
thought you would be better served checking over those discussions!

As for documentation - have you read the rlm-eap and rlm-ldap documentation
in
the docs directory of the installation package (at least the version
1.0.0-pre1 and
later source code) has information on what you are looking for in terms of
using eap/tls
and ldap together (in the rlm-eap docs).

If you can use the pre-release code I would suggest doing so - while 0.9.3
is stable I have
found the pre-release code does more [ymmv]...

gm..

- Original Message - 
From: Mack [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, June 20, 2004 10:30 PM
Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)


 Gary,

 I had scanned them prior to posting, but there seem to be no solutions to
all of the
 problems people have with this configuration.  My impression is that most
of the
 gurus on the list are assuming WAY too much of some of us newbies.  They
keep
 coming back with the same replies, like read the faqs, readme, rfc, etc.,
etc.  But,
 that begs the question:  If that's going to be the reply each time, then
why even
 bother with the list in the first place?  Oh, well.  I am definitely
taking a more indepth
 look at the archives, though, as you've suggested.  If nothing else, maybe
that will
 help me form better questions.  Thanks for the help!

 mack

 On 19 Jun 2004 at 6:34, Gary McKinney wrote:

  Mack,
 
  Check the email archives over the last three months - there is a great
  deal of information on using EAP/TLS and how to use LDAP with
  freeradius (including example snippets).
 
  gm...
  - Original Message - 
  From: Mack [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Friday, June 18, 2004 11:52 PM
  Subject: radius, 802.1x, eap/tls, and edirectory (ldap)
 
 
   Hi,
  
   I'm a newbie to all of this, so please bear with me.  This list is
   all
  I've got!
  
   We are introducing a wireless infrastructure on our campus (a little
   late
  in the game).
   Right now we're in testing phase.  In this testing phase, We are
   using
  several 3com
   7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory
  (LDAP).  My
   requirement is to enable 802.1x authentication to the AP's using
   EAP/TLS. Additionally, I need to be able to authenticate the users
   to Novell via
  LDAP.  All via
   the FreeRADIUS server.
  
   I have configured freeradius version 0.9.3 to work successfully with
   only
  ldap
   authentication against Novell eDirectory.  I have also verified that
  802.1x
   authentication is working with the AP. However, if I attempt to
   somehow
  enable both
   authentication mechanisms, I fail.  The logs keep passing the EAP
   username (common name from cert) to ldap and of course ldap spits it
   out because
  the object
   does not exist.
  
   Again, I'm new to this, and maybe I have made incorrect assumptions
   of
  what the
   end result should be.  Maybe this isn't even possible, but here's
   what I
  had hoped to
   come away with:  the wireless user boots their laptop, then gets
  authenticated via
   eap/tls.  They then open a browser, and are asked for username and
  password (via
   dialog box?), or either redirected to a login page.  The username
   and
  password are
   then passed to ldap for authentication.  Successful authentication
   results
  in the client
   being given internet access.  Is this possible?  Or, am I totally
  misunderstanding how
   this is all supposed to work (very likely)?
  
   I must admit, I'm not very comfortable when working with the config
   files.
  Not too
   sure what I'm doing in there.  I tackled this whole project somewhat
  blindly, with the
   help of various bits of info I gathered from google searches.  I do
   need
  to obtain a
   good book on this stuff...that's obvious...but I am hoping that
   someone on
  this list
   has experience with getting freeradius to work with eap/tls and
   novell
  ldap
   authentication and is willing to share that experience and wisdom.
  
   (Embarrassed) Sorry again for the newbie-ness of this post, and
   thanks in
  advance
   for any help!
  
   mack
  
   -- 
   This message has been scanned for viruses and
   dangerous content by the CSU Email Gateway, and is
   believed to be clean.
  
  
   -
   List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
  
 
  ---
  [This E-mail scanned for viruses by Declude Ant-Virus Scanner]
 
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
  -- 
  This message has been scanned for viruses and
  dangerous content by the CSU Email Gateway, and is
  believed to be clean.
 



 -- 
 This message has been scanned for viruses and
 dangerous content by the CSU Email

Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-21 Thread Alan DeKok
Mack [EMAIL PROTECTED] wrote:
 I had scanned them prior to posting, but there seem to be no solutions
 to all of the problems people have with this configuration.

  From what I can seem you're trying to use EAP-TLS, *and* some kind
of LDAP authorization/authentication, but you're not putting the
usernames used by EAP-TLS into LDAP.

  The solution is simple:

  a) put the usernames into LDAP
  b) or, get the clients to use usernames which are in ldap.

   My impression is that most of the gurus on the list are assuming
 WAY too much of some of us newbies.  They keep coming back with the
 same replies, like read the faqs, readme, rfc, etc., etc.

  A significant number of questions on this list are answered in the
FAQ, README, documentation, etc.  Those replies are meant to tell
people to stop wasting their time asking questions on the list, when
the answer is already in front of them.

  But, that begs the question: If that's going to be the reply each
 time, then why even bother with the list in the first place?

  If you would read the list, you would see that most of the questions
involve things which are *not* in the FAQ or README.  Those questions
are answered.

   My requirement is to enable 802.1x authentication to the AP's
   using EAP/TLS. Additionally, I need to be able to authenticate
   the users to Novell via LDAP.

  You can't do this.  It's impossible.

  EAP-TLS is an authentication mechanism.  LDAP doesn't know about
EAP-TLS, and therefore won't be able to authenticate any EAP-TLS
request.

   The logs keep passing the EAP username (common name from cert)
   to ldap and of course ldap spits it out because the object does
   not exist.

  Have you tried adding that object to LDAP?  I really don't see what
the problem is here.

   Maybe this isn't even possible, but here's what I had hoped to
   come away with: the wireless user boots their laptop, then gets
   authenticated via eap/tls.

  That will work.

 They then open a browser, and are asked for username and
   password (via dialog box?), or either redirected to a login
   page.

  By who?  The AP won't do this.  And since the AP won't do this,
*nothing* will.

 The username and password are then passed to ldap for
   authentication.  Successful authentication results in the client
   being given internet access.  Is this possible?

  I doubt it.  I also don't understand why you want the user to log in
twice.

  Alan DEKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-21 Thread Mack
Alan,

I agree...I should read the docs and the lists more thoroughly.

My AP requires that I enable 802.1x in order to use RADIUS authentication.  So, I 
figured I'd use EAP-TLS.  I'm just testing now...using an XP client, so I chose to use 
EAP-TLS.  I want to use LDAP because that's where our userbase is stored (Novell 
eDirectory).  The idea is to authenticate users via LDAP.  I'm only using EAP-TLS 
because the AP won't let me use RADIUS otherwise.  Of course, I'm such a newbie 
that I'm probably getting it all wrong.  That's where I was hoping the list would help.

If you were given my task, how would you go about implementing this?

thanks,
mack



On 21 Jun 2004 at 11:07, Alan DeKok wrote:

 Mack [EMAIL PROTECTED] wrote:
  I had scanned them prior to posting, but there seem to be no
  solutions to all of the problems people have with this
  configuration.
 
   From what I can seem you're trying to use EAP-TLS, *and* some kind
 of LDAP authorization/authentication, but you're not putting the
 usernames used by EAP-TLS into LDAP.
 
   The solution is simple:
 
   a) put the usernames into LDAP
   b) or, get the clients to use usernames which are in ldap.
 
My impression is that most of the gurus on the list are assuming
  WAY too much of some of us newbies.  They keep coming back with the
  same replies, like read the faqs, readme, rfc, etc., etc.
 
   A significant number of questions on this list are answered in the
 FAQ, README, documentation, etc.  Those replies are meant to tell
 people to stop wasting their time asking questions on the list, when
 the answer is already in front of them.
 
   But, that begs the question: If that's going to be the reply each
  time, then why even bother with the list in the first place?
 
   If you would read the list, you would see that most of the questions
 involve things which are *not* in the FAQ or README.  Those questions
 are answered.
 
My requirement is to enable 802.1x authentication to the AP's
using EAP/TLS. Additionally, I need to be able to authenticate
the users to Novell via LDAP.
 
   You can't do this.  It's impossible.
 
   EAP-TLS is an authentication mechanism.  LDAP doesn't know about
 EAP-TLS, and therefore won't be able to authenticate any EAP-TLS
 request.
 
The logs keep passing the EAP username (common name from cert)
to ldap and of course ldap spits it out because the object does
not exist.
 
   Have you tried adding that object to LDAP?  I really don't see what
 the problem is here.
 
Maybe this isn't even possible, but here's what I had hoped to
come away with: the wireless user boots their laptop, then gets
authenticated via eap/tls.
 
   That will work.
 
  They then open a browser, and are asked for username and
password (via dialog box?), or either redirected to a login
page.
 
   By who?  The AP won't do this.  And since the AP won't do this,
 *nothing* will.
 
  The username and password are then passed to ldap for
authentication.  Successful authentication results in the client
being given internet access.  Is this possible?
 
   I doubt it.  I also don't understand why you want the user to log in
 twice.
 
   Alan DEKok.
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -- 
 This message has been scanned for viruses and
 dangerous content by the CSU Email Gateway, and is
 believed to be clean.
 



-- 
This message has been scanned for viruses and
dangerous content by the CSU Email Gateway, and is
believed to be clean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-21 Thread Mack
Gary,

No, no, not you.  I didn't mean you...sorry.  You've been helpful...more
so, you've shown a willingness to help.  Thanks for that.

I followed your suggestion about looking deeper into the list archives,
and have progressed a bit further (i think).  I stumbled upon PEAP, and configured
my client to use mschapv2, thus answering the question of how to send LDAP username 
password to radius.  This is all with EAP-TLS working (as far as I can
tell).  However, there's one catch...

While running radiusd in debug mode, watching the output while the client
authenticates (sends username  password), it seems to get caught in a 
loop...same output over  over again, and the client never gets totally
authenticated.  The output appears to indicate that the ldap auth and eap
auth were both successful, but this is where it keeps looping...over and over again,
keeps saying both were successful.  Unless I'm just misinterpreting the output
(that's VERY likely).  I've attached some of the output to this email (hope that's
ok...seemed to big to include in the body of the message).

I am using a gentoo ebuild of freeradius now, but will look into the
1.0.0-pre1 version.  I did notice that many of the posts assumed the users were on a 
1.0.0-pre1
build.  If nothing else, I can at least read thru the different docs included in that
build, as you've suggested.

Ready for a really dumb question?  What does ymmv mean?  I've often seen
it on lists/boards, but have never seen a translation.

Thanks for the help,
mack

On 21 Jun 2004 at 6:10, Gary McKinney wrote:

 Mack,
 
 I Was not trying to blow you off by making the statement of reading
 the archives... I am still, what I consider, a newbie as well...
 
 The statement about a lot of discussion on the subject you are
 requesting is true so I thought you would be better served checking
 over those discussions!
 
 As for documentation - have you read the rlm-eap and rlm-ldap
 documentation in the docs directory of the installation package (at
 least the version 1.0.0-pre1 and later source code) has information on
 what you are looking for in terms of using eap/tls and ldap together
 (in the rlm-eap docs).
 
 If you can use the pre-release code I would suggest doing so - while
 0.9.3 is stable I have found the pre-release code does more [ymmv]...
 
 gm..
 
 - Original Message - 
 From: Mack [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Sunday, June 20, 2004 10:30 PM
 Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)
 
 
  Gary,
 
  I had scanned them prior to posting, but there seem to be no
  solutions to
 all of the
  problems people have with this configuration.  My impression is that
  most
 of the
  gurus on the list are assuming WAY too much of some of us newbies.
   They
 keep
  coming back with the same replies, like read the faqs, readme, rfc,
  etc.,
 etc.  But,
  that begs the question:  If that's going to be the reply each time,
  then
 why even
  bother with the list in the first place?  Oh, well.  I am definitely
 taking a more indepth
  look at the archives, though, as you've suggested.  If nothing else,
  maybe
 that will
  help me form better questions.  Thanks for the help!
 
  mack
 
  On 19 Jun 2004 at 6:34, Gary McKinney wrote:
 
   Mack,
  
   Check the email archives over the last three months - there is a
   great deal of information on using EAP/TLS and how to use LDAP
   with freeradius (including example snippets).
  
   gm...
   - Original Message - 
   From: Mack [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Sent: Friday, June 18, 2004 11:52 PM
   Subject: radius, 802.1x, eap/tls, and edirectory (ldap)
  
  
Hi,
   
I'm a newbie to all of this, so please bear with me.  This list
is all
   I've got!
   
We are introducing a wireless infrastructure on our campus (a
little late
   in the game).
Right now we're in testing phase.  In this testing phase, We are
using
   several 3com
7250 AP's, some 3com cards capable of 802.1x, and Novell
eDirectory
   (LDAP).  My
requirement is to enable 802.1x authentication to the AP's using
EAP/TLS. Additionally, I need to be able to authenticate the
users to Novell via
   LDAP.  All via
the FreeRADIUS server.
   
I have configured freeradius version 0.9.3 to work successfully
with only
   ldap
authentication against Novell eDirectory.  I have also verified
that
   802.1x
authentication is working with the AP. However, if I attempt to
somehow
   enable both
authentication mechanisms, I fail.  The logs keep passing the
EAP username (common name from cert) to ldap and of course ldap
spits it out because
   the object
does not exist.
   
Again, I'm new to this, and maybe I have made incorrect
assumptions of
   what the
end result should be.  Maybe this isn't even possible, but
here's what I
   had hoped to
come away with:  the wireless user boots their laptop, then gets

Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-21 Thread Gary McKinney
Hi Mack,

As for the looping problem - one question - do you have a wireless network
card manager running in the background on the laptop ( I don't mean the nic
driver) along with the supplicant???

I have EAP/TTLS running at home and ran into a looping problem that sounds
the same (authenticated but kept on re-authenticating)... I am running the
Odyssey Supplicant on a Windows 2000 machine and there was a Linksys NIC
Manager program running at the same time the supplicant was running.  The
NIC manager was causing the supplicant to disconnect from the nic thereby
causing the supplicant to re-authenticate continuously! (duh!).  Turning off
the NIC manager software fixed the problem

As for YMMV it means Your Mileage May Vary  [grin]...

gm...

- Original Message - 
From: Mack [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 21, 2004 8:21 PM
Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)


 Gary,

 No, no, not you.  I didn't mean you...sorry.  You've been helpful...more
 so, you've shown a willingness to help.  Thanks for that.

 I followed your suggestion about looking deeper into the list archives,
 and have progressed a bit further (i think).  I stumbled upon PEAP, and
configured
 my client to use mschapv2, thus answering the question of how to send LDAP
username 
 password to radius.  This is all with EAP-TLS working (as far as I can
 tell).  However, there's one catch...

 While running radiusd in debug mode, watching the output while the client
 authenticates (sends username  password), it seems to get caught in a
 loop...same output over  over again, and the client never gets totally
 authenticated.  The output appears to indicate that the ldap auth and eap
 auth were both successful, but this is where it keeps looping...over and
over again,
 keeps saying both were successful.  Unless I'm just misinterpreting the
output
 (that's VERY likely).  I've attached some of the output to this email
(hope that's
 ok...seemed to big to include in the body of the message).

 I am using a gentoo ebuild of freeradius now, but will look into the
 1.0.0-pre1 version.  I did notice that many of the posts assumed the users
were on a 1.0.0-pre1
 build.  If nothing else, I can at least read thru the different docs
included in that
 build, as you've suggested.

 Ready for a really dumb question?  What does ymmv mean?  I've often seen
 it on lists/boards, but have never seen a translation.

 Thanks for the help,
 mack

 On 21 Jun 2004 at 6:10, Gary McKinney wrote:

  Mack,
 
  I Was not trying to blow you off by making the statement of reading
  the archives... I am still, what I consider, a newbie as well...
 
  The statement about a lot of discussion on the subject you are
  requesting is true so I thought you would be better served checking
  over those discussions!
 
  As for documentation - have you read the rlm-eap and rlm-ldap
  documentation in the docs directory of the installation package (at
  least the version 1.0.0-pre1 and later source code) has information on
  what you are looking for in terms of using eap/tls and ldap together
  (in the rlm-eap docs).
 
  If you can use the pre-release code I would suggest doing so - while
  0.9.3 is stable I have found the pre-release code does more [ymmv]...
 
  gm..
 
  - Original Message - 
  From: Mack [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Sunday, June 20, 2004 10:30 PM
  Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)
 
 
   Gary,
  
   I had scanned them prior to posting, but there seem to be no
   solutions to
  all of the
   problems people have with this configuration.  My impression is that
   most
  of the
   gurus on the list are assuming WAY too much of some of us newbies.
They
  keep
   coming back with the same replies, like read the faqs, readme, rfc,
   etc.,
  etc.  But,
   that begs the question:  If that's going to be the reply each time,
   then
  why even
   bother with the list in the first place?  Oh, well.  I am definitely
  taking a more indepth
   look at the archives, though, as you've suggested.  If nothing else,
   maybe
  that will
   help me form better questions.  Thanks for the help!
  
   mack
  
   On 19 Jun 2004 at 6:34, Gary McKinney wrote:
  
Mack,
   
Check the email archives over the last three months - there is a
great deal of information on using EAP/TLS and how to use LDAP
with freeradius (including example snippets).
   
gm...
- Original Message - 
From: Mack [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 18, 2004 11:52 PM
Subject: radius, 802.1x, eap/tls, and edirectory (ldap)
   
   
 Hi,

 I'm a newbie to all of this, so please bear with me.  This list
 is all
I've got!

 We are introducing a wireless infrastructure on our campus (a
 little late
in the game).
 Right now we're in testing phase.  In this testing phase, We are
 using
several 3com

Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-21 Thread Mack
Gary,


I didn't recognize any services as being a wireless network card manager.  Didn't see 
anything in add/remove, either.  Where/how did you find yours?

Thanks for clueing me in on the meaning of ymmv!

I'll keep digging around for more information on my problem.  BTW...did you have a 
chance to look at the output I attached?  If so, what's your interpretation?

thanks,
mack

On 21 Jun 2004 at 20:47, Gary McKinney wrote:

 Hi Mack,
 
 As for the looping problem - one question - do you have a wireless
 network card manager running in the background on the laptop ( I don't
 mean the nic driver) along with the supplicant???
 
 I have EAP/TTLS running at home and ran into a looping problem that
 sounds the same (authenticated but kept on re-authenticating)... I am
 running the Odyssey Supplicant on a Windows 2000 machine and there was
 a Linksys NIC Manager program running at the same time the supplicant
 was running.  The NIC manager was causing the supplicant to disconnect
 from the nic thereby causing the supplicant to re-authenticate
 continuously! (duh!).  Turning off the NIC manager software fixed
 the problem
 
 As for YMMV it means Your Mileage May Vary  [grin]...
 
 gm...
 
 - Original Message - 
 From: Mack [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Monday, June 21, 2004 8:21 PM
 Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)
 
 
  Gary,
 
  No, no, not you.  I didn't mean you...sorry.  You've been
  helpful...more so, you've shown a willingness to help.  Thanks for
  that.
 
  I followed your suggestion about looking deeper into the list
  archives, and have progressed a bit further (i think).  I stumbled
  upon PEAP, and
 configured
  my client to use mschapv2, thus answering the question of how to
  send LDAP
 username 
  password to radius.  This is all with EAP-TLS working (as far as I
  can tell).  However, there's one catch...
 
  While running radiusd in debug mode, watching the output while the
  client authenticates (sends username  password), it seems to get
  caught in a loop...same output over  over again, and the client
  never gets totally authenticated.  The output appears to indicate
  that the ldap auth and eap auth were both successful, but this is
  where it keeps looping...over and
 over again,
  keeps saying both were successful.  Unless I'm just misinterpreting
  the
 output
  (that's VERY likely).  I've attached some of the output to this
  email
 (hope that's
  ok...seemed to big to include in the body of the message).
 
  I am using a gentoo ebuild of freeradius now, but will look into the
  1.0.0-pre1 version.  I did notice that many of the posts assumed the
  users
 were on a 1.0.0-pre1
  build.  If nothing else, I can at least read thru the different docs
 included in that
  build, as you've suggested.
 
  Ready for a really dumb question?  What does ymmv mean?  I've
  often seen it on lists/boards, but have never seen a translation.
 
  Thanks for the help,
  mack
 
  On 21 Jun 2004 at 6:10, Gary McKinney wrote:
 
   Mack,
  
   I Was not trying to blow you off by making the statement of
   reading the archives... I am still, what I consider, a newbie as
   well...
  
   The statement about a lot of discussion on the subject you are
   requesting is true so I thought you would be better served
   checking over those discussions!
  
   As for documentation - have you read the rlm-eap and rlm-ldap
   documentation in the docs directory of the installation package
   (at least the version 1.0.0-pre1 and later source code) has
   information on what you are looking for in terms of using eap/tls
   and ldap together (in the rlm-eap docs).
  
   If you can use the pre-release code I would suggest doing so -
   while 0.9.3 is stable I have found the pre-release code does more
   [ymmv]...
  
   gm..
  
   - Original Message - 
   From: Mack [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Sent: Sunday, June 20, 2004 10:30 PM
   Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)
  
  
Gary,
   
I had scanned them prior to posting, but there seem to be no
solutions to
   all of the
problems people have with this configuration.  My impression is
that most
   of the
gurus on the list are assuming WAY too much of some of us
newbies.
 They
   keep
coming back with the same replies, like read the faqs, readme,
rfc, etc.,
   etc.  But,
that begs the question:  If that's going to be the reply each
time, then
   why even
bother with the list in the first place?  Oh, well.  I am
definitely
   taking a more indepth
look at the archives, though, as you've suggested.  If nothing
else, maybe
   that will
help me form better questions.  Thanks for the help!
   
mack
   
On 19 Jun 2004 at 6:34, Gary McKinney wrote:
   
 Mack,

 Check the email archives over the last three months - there is
 a great deal of information on using EAP/TLS and how to use

Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-21 Thread Alan DeKok
Mack [EMAIL PROTECTED] wrote:
 My AP requires that I enable 802.1x in order to use RADIUS
 authentication.  So, I figured I'd use EAP-TLS.

  Are you picking it at random, or are youi looking at the features it
offers, and using your requirements to decide on a solution?

  I'm just testing now...using an XP client, so I chose to use
 EAP-TLS.  I want to use LDAP because that's where our userbase is
 stored (Novell eDirectory).  The idea is to authenticate users via
 LDAP.

  I thought I had been pretty clear in my response: EAP-TLS and LDAP
are mutually incompatible.  Stop trying to get them to work togerther.

  I'm only using EAP-TLS because the AP won't let me use RADIUS
 otherwise.  Of course, I'm such a newbie that I'm probably getting
 it all wrong.  That's where I was hoping the list would help.

  You should ask about how to solve a problem, rather than asking why
the solution you chose didn't work.

 If you were given my task, how would you go about implementing this?

  I told you.  Go back and read my message.

  If you could describe a problem, I might be able to come up with an
alternate solution.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-20 Thread Mack
Gary,

I had scanned them prior to posting, but there seem to be no solutions to all of the 
problems people have with this configuration.  My impression is that most of the 
gurus on the list are assuming WAY too much of some of us newbies.  They keep 
coming back with the same replies, like read the faqs, readme, rfc, etc., etc.  But, 
that begs the question:  If that's going to be the reply each time, then why even 
bother with the list in the first place?  Oh, well.  I am definitely taking a more 
indepth 
look at the archives, though, as you've suggested.  If nothing else, maybe that will 
help me form better questions.  Thanks for the help!

mack

On 19 Jun 2004 at 6:34, Gary McKinney wrote:

 Mack,
 
 Check the email archives over the last three months - there is a great
 deal of information on using EAP/TLS and how to use LDAP with
 freeradius (including example snippets).
 
 gm...
 - Original Message - 
 From: Mack [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, June 18, 2004 11:52 PM
 Subject: radius, 802.1x, eap/tls, and edirectory (ldap)
 
 
  Hi,
 
  I'm a newbie to all of this, so please bear with me.  This list is
  all
 I've got!
 
  We are introducing a wireless infrastructure on our campus (a little
  late
 in the game).
  Right now we're in testing phase.  In this testing phase, We are
  using
 several 3com
  7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory
 (LDAP).  My
  requirement is to enable 802.1x authentication to the AP's using
  EAP/TLS. Additionally, I need to be able to authenticate the users
  to Novell via
 LDAP.  All via
  the FreeRADIUS server.
 
  I have configured freeradius version 0.9.3 to work successfully with
  only
 ldap
  authentication against Novell eDirectory.  I have also verified that
 802.1x
  authentication is working with the AP. However, if I attempt to
  somehow
 enable both
  authentication mechanisms, I fail.  The logs keep passing the EAP
  username (common name from cert) to ldap and of course ldap spits it
  out because
 the object
  does not exist.
 
  Again, I'm new to this, and maybe I have made incorrect assumptions
  of
 what the
  end result should be.  Maybe this isn't even possible, but here's
  what I
 had hoped to
  come away with:  the wireless user boots their laptop, then gets
 authenticated via
  eap/tls.  They then open a browser, and are asked for username and
 password (via
  dialog box?), or either redirected to a login page.  The username
  and
 password are
  then passed to ldap for authentication.  Successful authentication
  results
 in the client
  being given internet access.  Is this possible?  Or, am I totally
 misunderstanding how
  this is all supposed to work (very likely)?
 
  I must admit, I'm not very comfortable when working with the config
  files.
 Not too
  sure what I'm doing in there.  I tackled this whole project somewhat
 blindly, with the
  help of various bits of info I gathered from google searches.  I do
  need
 to obtain a
  good book on this stuff...that's obvious...but I am hoping that
  someone on
 this list
  has experience with getting freeradius to work with eap/tls and
  novell
 ldap
  authentication and is willing to share that experience and wisdom.
 
  (Embarrassed) Sorry again for the newbie-ness of this post, and
  thanks in
 advance
  for any help!
 
  mack
 
  -- 
  This message has been scanned for viruses and
  dangerous content by the CSU Email Gateway, and is
  believed to be clean.
 
 
  -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 
 ---
 [This E-mail scanned for viruses by Declude Ant-Virus Scanner]
 
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -- 
 This message has been scanned for viruses and
 dangerous content by the CSU Email Gateway, and is
 believed to be clean.
 



-- 
This message has been scanned for viruses and
dangerous content by the CSU Email Gateway, and is
believed to be clean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-19 Thread Gary McKinney
Mack,

Check the email archives over the last three months - there is a great deal
of information on using EAP/TLS and how to use LDAP with freeradius
(including example snippets).

gm...
- Original Message - 
From: Mack [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 18, 2004 11:52 PM
Subject: radius, 802.1x, eap/tls, and edirectory (ldap)


 Hi,

 I'm a newbie to all of this, so please bear with me.  This list is all
I've got!

 We are introducing a wireless infrastructure on our campus (a little late
in the game).
 Right now we're in testing phase.  In this testing phase, We are using
several 3com
 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory
(LDAP).  My
 requirement is to enable 802.1x authentication to the AP's using EAP/TLS.
 Additionally, I need to be able to authenticate the users to Novell via
LDAP.  All via
 the FreeRADIUS server.

 I have configured freeradius version 0.9.3 to work successfully with only
ldap
 authentication against Novell eDirectory.  I have also verified that
802.1x
 authentication is working with the AP. However, if I attempt to somehow
enable both
 authentication mechanisms, I fail.  The logs keep passing the EAP username
 (common name from cert) to ldap and of course ldap spits it out because
the object
 does not exist.

 Again, I'm new to this, and maybe I have made incorrect assumptions of
what the
 end result should be.  Maybe this isn't even possible, but here's what I
had hoped to
 come away with:  the wireless user boots their laptop, then gets
authenticated via
 eap/tls.  They then open a browser, and are asked for username and
password (via
 dialog box?), or either redirected to a login page.  The username and
password are
 then passed to ldap for authentication.  Successful authentication results
in the client
 being given internet access.  Is this possible?  Or, am I totally
misunderstanding how
 this is all supposed to work (very likely)?

 I must admit, I'm not very comfortable when working with the config files.
Not too
 sure what I'm doing in there.  I tackled this whole project somewhat
blindly, with the
 help of various bits of info I gathered from google searches.  I do need
to obtain a
 good book on this stuff...that's obvious...but I am hoping that someone on
this list
 has experience with getting freeradius to work with eap/tls and novell
ldap
 authentication and is willing to share that experience and wisdom.

 (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in
advance
 for any help!

 mack

 -- 
 This message has been scanned for viruses and
 dangerous content by the CSU Email Gateway, and is
 believed to be clean.


 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


---
[This E-mail scanned for viruses by Declude Ant-Virus Scanner]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


radius, 802.1x, eap/tls, and edirectory (ldap)

2004-06-18 Thread Mack
Hi,

I'm a newbie to all of this, so please bear with me.  This list is all I've got!

We are introducing a wireless infrastructure on our campus (a little late in the 
game).  
Right now we're in testing phase.  In this testing phase, We are using several 3com 
7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP).  My 
requirement is to enable 802.1x authentication to the AP's using EAP/TLS.  
Additionally, I need to be able to authenticate the users to Novell via LDAP.  All via 
the FreeRADIUS server.

I have configured freeradius version 0.9.3 to work successfully with only ldap 
authentication against Novell eDirectory.  I have also verified that 802.1x 
authentication is working with the AP. However, if I attempt to somehow enable both 
authentication mechanisms, I fail.  The logs keep passing the EAP username 
(common name from cert) to ldap and of course ldap spits it out because the object 
does not exist.

Again, I'm new to this, and maybe I have made incorrect assumptions of what the 
end result should be.  Maybe this isn't even possible, but here's what I had hoped to 
come away with:  the wireless user boots their laptop, then gets authenticated via 
eap/tls.  They then open a browser, and are asked for username and password (via 
dialog box?), or either redirected to a login page.  The username and password are 
then passed to ldap for authentication.  Successful authentication results in the 
client 
being given internet access.  Is this possible?  Or, am I totally misunderstanding how 
this is all supposed to work (very likely)?

I must admit, I'm not very comfortable when working with the config files.  Not too 
sure what I'm doing in there.  I tackled this whole project somewhat blindly, with the 
help of various bits of info I gathered from google searches.  I do need to obtain a 
good book on this stuff...that's obvious...but I am hoping that someone on this list 
has experience with getting freeradius to work with eap/tls and novell ldap 
authentication and is willing to share that experience and wisdom.

(Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance 
for any help!

mack

-- 
This message has been scanned for viruses and
dangerous content by the CSU Email Gateway, and is
believed to be clean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html