Re: OT: EAP-TTLS - Problem with securew2 and Vista
Some time ago, I've found the atypical fashion of managing permissions. In my job, I was trying to make SecureW2 - a software that provides TTLS to Windows systems - works on Windows Vista. During about a month I was breaking my head against the wall, trying to figure out why on most laptops SecureW2 was failing. It's ok, I must admit that I don't like Windows. At home I use Linux, at work most of the time I use Linux too. You can say that I am a stupid when I tell you why SecureW2 was not working on Vista. SecureW2 was not working because most of users run software as a non-privileged user. So the solution was to click with right button of mouse and then clic in Run as administrator… What a weird way of security approach, but the worst to me is the strange way of communicate to users. If an action needs more privileges, I thing the right thing is tell the problem to the user and not depend of telepathy. Because of this, I like so much Linux. Linux it's not a perfect OS, but it tell you when you must run either root or take more privileges. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: EAP-TTLS - Problem with securew2 and Vista
2008/4/27 Tural Kaptan [EMAIL PROTECTED]: Dear Sergio, Sorry for the delay in the reply, I just wanted to drop you a note related to the problem that you have mention in your e-mail to freeradius-users lists on 18th of April .. We had experienced the same problem with some Vista machines - especially 64bit versions .. For this we have used differently compiled version of SecureW2 that you can download from here http://www.hofhom.nl/securew2/ .. We are using this version now for some of Vista clients with no any problem .. If you have already successfully solved the problem in different way, can you please drop me a note on this .. If you already solved in the same way, just ignore this e-mail .. Thanks and BR, Tural Kaptan Technical Manager ALTO/IT Solutions Hi Tural, Sorry for reply to the list, but I think that maybe it's useful for someone. I'll try this version, since enter user and password in securew2 instead of waiting for dialog box appears didn't solve the problem. Thanks in advance. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: EAP-TTLS - Problem with securew2 and Vista
Hi, Sorry for the Off Topic, I know that I can ask in securew2 forums, but I bet that many of you as radius administrators with Windows clients are using EAP-TTLS with PAP. So, you are using securew2. *** Securew2 works fine with Windows XP. *** Sadly, newers laptops are shipped with a crappy system called Windows Vista. It happens that many laptops with Vista due a unknown reason (at least for me) prevents that securew2 appears, so users can't authenticate. Perhaps, many of you had faced this problem and solved it, if it's the case, please could you say me how? Perhaps you found another tool... I am using encrypted password in LDAP and it seems that have no chance to use someting different as EAP-TTLS with PAP. I'd thank your help. Thanks in advance. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: EAP-TTLS - Problem with securew2 and Vista
Only a clarification: It happens that many laptops with Vista due a unknown reason (at least for me) prevents that securew2 appears I mean: It happens that many laptops with Vista due a unknown reason (at least for me) prevents that securew2 dialog box appears 2008/4/18, Sergio Belkin [EMAIL PROTECTED]: Hi, Sorry for the Off Topic, I know that I can ask in securew2 forums, but I bet that many of you as radius administrators with Windows clients are using EAP-TTLS with PAP. So, you are using securew2. *** Securew2 works fine with Windows XP. *** Sadly, newers laptops are shipped with a crappy system called Windows Vista. It happens that many laptops with Vista due a unknown reason (at least for me) prevents that securew2 appears, so users can't authenticate. Perhaps, many of you had faced this problem and solved it, if it's the case, please could you say me how? Perhaps you found another tool... I am using encrypted password in LDAP and it seems that have no chance to use someting different as EAP-TTLS with PAP. I'd thank your help. Thanks in advance. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: EAP-TTLS - Problem with securew2 and Vista
Hello Sergio, We find (depending on the version of vista) that the bubble doesn't appear however you can have the user enter there information within the profile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: EAP-TTLS - Problem with securew2 and Vista
2008/4/18, Charlie B [EMAIL PROTECTED]: Hello Sergio, We find (depending on the version of vista) that the bubble doesn't appear however you can have the user enter there information within the profile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Zoltan and Charlie when dialog box appears I hadn't had problem with dhcp, I will try using login info within profile. -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help for EAP-TTLS problem on marvell 8686 wpa supplicant..
Hi, RADIUS log [EMAIL PROTECTED]:/usr/local/radius/sbin# ./runradius.sh + export LD_LIBRARY_PATH=/usr/local/openssl/lib/ + ./radiusd -X -y -z -A -f -i 10.89.49.12 Starting - reading configuration files ... read_config_files: reading dictionary Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf Config: including file: /usr/local/radius/etc/raddb/sql.conf main: prefix = /usr/local/radius main: localstatedir = /usr/local/radius/var main: logdir = /usr/local/radius/var/log/radius main: libdir = /usr/local/radius/lib main: radacctdir = /usr/local/radius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/radius/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/radius/var/run/radiusd/radiusd.pid main: checkrad = /usr/local/radius/sbin/checkrad main: debug_level = 0 main: proxy_requests = yes log: syslog_facility = daemon proxy: retry_delay = 5 proxy: retry_count = 3 proxy: default_fallback = yes proxy: dead_time = 120 proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading realms main: port = 1812 client: secret = testing123 client: shortname = localhost client: nastype = other client: secret = raghu123456 client: shortname = linksys client: secret = raghu123456 client: shortname = 3com radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: input_pairs = request exec: shell_escape = yes rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded expiration expiration: reply-message = Password Has Expired Module: Instantiated expiration (expiration) Module: Loaded logintime logintime: reply-message = You are calling outside your allowed timespan logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = auto pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: radwtmp = /usr/local/radius/var/log/radius/radwtmp Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = ttls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: pem_file_type = yes tls: private_key_file = /etc/certs/cert-srv.pem tls: certificate_file = /etc/certs/cert-srv.pem tls: CA_file = /etc/certs/root.pem tls: private_key_password = whatever tls: dh_file = /etc/certs/dh tls: random_file = /etc/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/radius/etc/raddb/huntgroups preprocess: hints = /usr/local/radius/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/radius/etc/raddb/users files: acctusersfile = /usr/local/radius/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/radius/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail
EAP/TTLS problem with Win XP and Linux
hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a « users » like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux this log to Linux: rad_recv: Access-Request packet from host 145.238.3.182:1026, id=191, length=208Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id = 00-14-38-fe-12-00 Calling-Station-Id = 00-12-3f-0e-99-6f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 301 EAP-Message = 0x0201000a017261636861 Message-Authenticator = 0xfae743fe55bca3b8b83a48a3f10ed3bc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry racha at line 86 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 191 to 145.238.3.182:1026 EAP-Message = 0x0102001f1a0102001a105f4f4c366e47d80b1c27e30d08b4b0367261636861 Message-Authenticator = 0x State = 0xfbee0cbaf20c360d6491c2b0b512304d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=192, length=222Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id = 00-14-38-fe-12-00 Calling-Station-Id = 00-12-3f-0e-99-6f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 301 State = 0xfbee0cbaf20c360d6491c2b0b512304d EAP-Message = 0x020200060315 Message-Authenticator = 0xd72410f740ae385523110d6defecb5f0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry racha at line 86 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 192 to 145.238.3.182:1026 EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0x429c3c29e255f725c510981e01307d3e Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=193, length=313Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id = 00-14-38-fe-12-00 Calling-Station-Id = 00-12-3f-0e-99-6f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 301
EAP/TTLS problem with Win XP and Linux
hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a « users » like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux this log to Linux: rad_recv: Access-Request packet from host 145.238.3.182:1026, id=191, length=208Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id = 00-14-38-fe-12-00 Calling-Station-Id = 00-12-3f-0e-99-6f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 301 EAP-Message = 0x0201000a017261636861 Message-Authenticator = 0xfae743fe55bca3b8b83a48a3f10ed3bc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry racha at line 86 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 191 to 145.238.3.182:1026 EAP-Message = 0x0102001f1a0102001a105f4f4c366e47d80b1c27e30d08b4b0367261636861 Message-Authenticator = 0x State = 0xfbee0cbaf20c360d6491c2b0b512304d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=192, length=222Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id = 00-14-38-fe-12-00 Calling-Station-Id = 00-12-3f-0e-99-6f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 301 State = 0xfbee0cbaf20c360d6491c2b0b512304d EAP-Message = 0x020200060315 Message-Authenticator = 0xd72410f740ae385523110d6defecb5f0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry racha at line 86 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 192 to 145.238.3.182:1026 EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0x429c3c29e255f725c510981e01307d3e Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=193, length=313Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id = 00-14-38-fe-12-00 Calling-Station-Id = 00-12-3f-0e-99-6f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 301
Re: EAP/TTLS problem with Win XP and Linux
Read the explanation in eap.conf, FAQ, this list hundreds of times ... Ivan Kalik Kalik Informatika ISP Dana 4/10/2007, elhammoud rachida [EMAIL PROTECTED] piše: hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a Ť users ť like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux this log to Linux: rad_recv: Access-Request packet from host 145.238.3.182:1026, id=191, length=208Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id = 00-14-38-fe-12-00 Calling-Station-Id = 00-12-3f-0e-99-6f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 301 EAP-Message = 0x0201000a017261636861 Message-Authenticator = 0xfae743fe55bca3b8b83a48a3f10ed3bc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry racha at line 86 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 191 to 145.238.3.182:1026 EAP-Message = 0x0102001f1a0102001a105f4f4c366e47d80b1c27e30d08b4b0367261636861 Message-Authenticator = 0x State = 0xfbee0cbaf20c360d6491c2b0b512304d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=192, length=222Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id = 00-14-38-fe-12-00 Calling-Station-Id = 00-12-3f-0e-99-6f Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 301 State = 0xfbee0cbaf20c360d6491c2b0b512304d EAP-Message = 0x020200060315 Message-Authenticator = 0xd72410f740ae385523110d6defecb5f0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry racha at line 86 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 192 to 145.238.3.182:1026 EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0x429c3c29e255f725c510981e01307d3e Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=193, length=313Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = sw-test-radius-1 User-Name = racha Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = 17 Called-Station-Id =
Re: EAP/TTLS problem with Win XP and Linux
elhammoud rachida wrote: hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a « users » like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux ... the server no sends response, why?? You are not reading the debug log correctly. The server IS sending a challenge. The NAS (or supplicant) then does not continue with the next EAP packet. Odds are you don't have the root certificates configured correctly. and this log by Windows XP ... The same thing. It's a certificate problem. The supplicants have decided that they don't like the servers certificate. They then stop doing EAP. Look at the logs on the supplicant to see why they're stopping EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS problem with Win XP and Linux
hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a « users » like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux ... the server no sends response, why?? You are not reading the debug log correctly. The server IS sending a challenge. The NAS (or supplicant) then does not continue with the next EAP packet. yes it's exactly, Odds are you don't have the root certificates configured correctly. I'am using openssl-0.9.7 to generate the certificats, and i'am importing root.pem to Linux and this log by Windows XP ... The same thing. It's a certificate problem. The supplicants have decided that they don't like the servers certificate. They then stop doing EAP. can'i use the certificats existing in the freeradius-1.1.7 ? it's sufficient. Look at the logs on the supplicant to see why they're stopping EAP. by linux, I put this wireshark -i eth0 but any response by windows, I'va this start Request, Identity Response,MS-EAP-Authentication Response, NAK (response only) Request, EAP-TTLS Client Hello Request, EAP-TTLS Response, EAP-TTLS Server Hello, Certificate, Server Hello Done Continuation Data Start Failure Alan DeKok. - thanks List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Découvrez le Blog heroic Fantaisy d'Eragon! http://eragon-heroic-fantasy.spaces.live.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS problem with Win XP and Linux
elhammoud rachida wrote: It's a certificate problem. The supplicants have decided that they don't like the servers certificate. They then stop doing EAP. can'i use the certificats existing in the freeradius-1.1.7 ? it's sufficient. What I mean is that the supplicants do not accept the certificate that the server sends. To find out why, LOOK AT THE SUPPLICANT LOGS. Look at the logs on the supplicant to see why they're stopping EAP. by linux, I put this wireshark -i eth0 but any response eth0 isn't usually a wireless device. And using wireshark isn't looking at the supplicant logs. Go read the supplicant documentation for it's certificate needs. Go read the supplicant documentation for how to enable extended logging. Ask supplicant questions on the mailing lists for the supplicants. Do not ask supplicant questions on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS problem with Win XP and Linux
by linux, I put this wireshark -i eth0 but any response eth0 isn't usually a wireless device. because i make test in wired, not in wireless one question, i should use openssl to generate the certificats? I have difficulty in understanding the implementation of EAP / TTLS with Windows XP? In the case of EAP / TTLS PAP I need only the server certificate. and the client used his password and login to authenticate? i don't found many the explanation about the certificates in a documentation Go read the supplicant documentation for it's certificate needs. Go read the supplicant documentation for how to enable extended logging. thanks Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Découvrez le Blog heroic Fantaisy d'Eragon! http://eragon-heroic-fantasy.spaces.live.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS problem with Win XP and Linux
one question, i should use openssl to generate the certificats? You can also use scripts provided with the distribution (certs.sh and CA.all). I have difficulty in understanding the implementation of EAP / TTLS with Windows XP? Not difficult at all - there isn't one. You have to download SecureW2, install and configure it. Then select the connection on which you want to implement this, Properties, Authentication, tick 802.1x box and select SecureW2 for the EAP type from the list. In the case of EAP / TTLS PAP I need only the server certificate. and the client used his password and login to authenticate? Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap_1x returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 148 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e158006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e00 Message-Authenticator = 0x State = 0xb63cf9e5375c651683e69b8c2d8543fc Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 146 with timestamp 4642d682 Cleaning up request 1 ID 147 with timestamp 4642d682 Cleaning up request 2 ID 148 with timestamp 4642d682 Nothing to do. Sleeping until we see a request. A.L.M.Buxey wrote: Hi, However when i try to perform same task by using securew2 on XP client, it always shows attempting to authenticate, did you configure SecureW2 to allow new connections? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10408620 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
tevfik wrote: I wasn't able to see any problem with ldap configuration because it works with radtest command. Which doesn't use EAP. It means that your server configuration is mostly correct, but something else might still go wrong. Is there a problem with my ldap configuration. Is there any weird message in my debug log? The supplicant is starting EAP, doing part of EAP, and then giving up. See the logs on the supplicant for why it's doing this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
tevfik,
Post the question in the SecureW2 forum, www.securew2.com/forum/. I will
get back to you via the forum.
Regards,
Tom
tevfik schreef:
did you configure SecureW2 to allow new connections?
Yes i tried both combinations, nothing is changed.
In addition to this when I enter correct username but wrong password, I got
similar debug log which i lised below.
I wasn't able to see any problem with ldap configuration because it works
with radtest command. (That is when i entered correct usrname but wrong
password, I got Access-Rejected message. When both of them was true, I got
Access-Accepted)
Is there a problem with my ldap configuration. Is there any weird message in
my debug log?
I am dealing with this thing about 20 days. Could anybody tell me whats
wrong with it?
Thanks in advance:
My full debug log: (username was entered true, password was entered false )
-
ldap:~ # radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap.anadolu.edu.tr
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = ou=people,dc=anadolu,dc=edu,dc=tr
ldap: filter = (uid=%u)
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_1x-Ldap-Group
Re: ttls problem
modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = tkiziloren, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry DEFAULT at line 29 modcall[authorize]: module files returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap_1x returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 148 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e158006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e00 Message-Authenticator = 0x State = 0xb63cf9e5375c651683e69b8c2d8543fc Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 146 with timestamp 4642d682 Cleaning up request 1 ID 147 with timestamp 4642d682 Cleaning up request 2 ID 148 with timestamp 4642d682 Nothing to do. Sleeping until we see a request. A.L.M.Buxey wrote: Hi, However when i try to perform same task by using securew2 on XP client, it always shows attempting to authenticate, did you configure SecureW2 to allow new connections? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10410860 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
Can i post my radiusd.conf and eap.conf here. Would it be helpfull? A.L.M.Buxey wrote: Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10410941 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
My certificates have read write and execute permissions A.L.M.Buxey wrote: Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10411507 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls problem
modcall[authorize]: module eap returns updated for request 2 users: Matched entry DEFAULT at line 29 modcall[authorize]: module files returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap_1x returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 95 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e158006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e00 Message-Authenticator = 0x State = 0xde79aad44e660ac881793c6fbdd7bdab Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 93 with timestamp 46431731 Cleaning up request 1 ID 94 with timestamp 46431731 Cleaning up request 2 ID 95 with timestamp 46431731 Nothing to do. Sleeping until we see a request. A.L.M.Buxey wrote: Hi, what are the permissions of your certificates? can radiusd (or whatever the ID is of the freeradius process) read them? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10412876 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ttls problem
Hi. I have problems with performing authentication with freeradius. When I use the command: radtest tkiziloren password ldap.anaadolu.edu 10 testing123 i get the message below: rad_recv: Access-accepted... However when i try to perform same task by using securew2 on XP client, it always shows attempting to authenticate, I pasted the debug results or radiusd below: I am new to freeradius. Could anybody help me where the problem is?. Is there a problem with certificate? (I use cisco aironet 1200 AP) Thanks in advance. Tevfik Kızılören. rad_recv: Access-Request packet from host 10.10.7.203:1645, id=0, length=148 User-Name = tkiziloren Framed-MTU = 1400 Called-Station-Id = 0017.0e85.f190 Calling-Station-Id = 0011.2fb9.d08b Service-Type = Login-User Message-Authenticator = 0xfcbf4e4b477d844b3826ae784cd6977e EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 675 State = 0x74d2bac8b603cafd625c55c0992b70ba NAS-IP-Address = 10.10.7.203 NAS-Identifier = testbum Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = tkiziloren, skipping NULL due to config. modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched entry DEFAULT at line 29 modcall[authorize]: module files returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for tkiziloren radius_xlat: '(uid=tkiziloren)' radius_xlat: 'ou=people,dc=anadolu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with filter (uid=tkiziloren) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tkiziloren authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap_1x returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 0 to 10.10.7.203 port 1645 EAP-Message = 0x0105024e158006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95 EAP-Message = 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033 EAP-Message = 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e00 Message-Authenticator = 0x State = 0x9d3c9b53656089b1510d55b3a1f50a33 Finished request 6 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 0 with timestamp 46421b1a Cleaning up request 4 ID 254 with timestamp 46421b1a Cleaning up request 5 ID 255 with timestamp 46421b1a Nothing to do. Sleeping until we see a request. -- View this message in context: http://www.nabble.com/ttls-problem-tf3717596.html#a10400374 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info
Re: ttls problem
Hi, However when i try to perform same task by using securew2 on XP client, it always shows attempting to authenticate, did you configure SecureW2 to allow new connections? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem at phase 1
Hi, as mentioned in various places in the documentation and countless times on this list: On 10/21/06, Rafiqul Ahsan [EMAIL PROTECTED] wrote: Here is my users file : testuser Auth-Type := EAP, User-Password := testuser DEFAULT Auth-Type := EAP Dont't set Auth-Type Here is the radius log (only shown the failed part) rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module fastusers returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type EAP^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module eap returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M Thats pretty much non-informative. In case, the above fix does not yet yield the desired results, provide the full debug output. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem at phase 1
DearHoercher,
Thank you for your email. I noticed that too, however it didn't seem working and it stopped with error even before that with the following users entry:
testuser User-Password := testuser
the error was about no matching anonymous_identity, and thats why I had to have aDEFAULT entry after this with Auth-Type :=EAP.
Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is anonymous_identity, and phase 2 user/passwd is testuser/testuser.
Below is my full debug out put. Please advise further ...
Rafi
# ./radiusd -X -A -f -s^MStarting - reading configuration files ...^Mreread_config: reading radiusd.conf^MConfig: including file: /usr/local/etc/raddb/proxy.conf^MConfig: including file: /usr/local/etc/raddb/clients.conf^M
Config: including file: /usr/local/etc/raddb/snmp.conf^MConfig: including file: /usr/local/etc/raddb/eap.conf^MConfig: including file: /usr/local/etc/raddb/sql.conf^Mmain: prefix = /usr/local^M
main: localstatedir = /usr/local/var^Mmain: logdir = /usr/local/var/log/radius^Mmain: libdir = /usr/local/lib^Mmain: radacctdir = /usr/local/var/log/radius/radacct^M
main: hostname_lookups = no^Mmain: max_request_time = 30^Mmain: cleanup_delay = 4^Mmain: max_requests = 1024^Mmain: delete_blocked_requests = 0^Mmain: port = 0^Mmain: allow_core_dumps = no^M
main: log_stripped_names = yes^Mmain: log_file = /usr/local/var/log/radius/radius.log^Mmain: log_auth = yes^Mmain: log_auth_badpass = yes^Mmain: log_auth_goodpass = yes^Mmain: pidfile = /usr/local/var/run/radiusd/radiusd.pid^M
main: user = (null)^Mmain: group = (null)^Mmain: usercollide = no^Mmain: lower_user = no^Mmain: lower_pass = no^Mmain: nospace_user = no^M
main: nospace_pass = no^Mmain: checkrad = /usr/local/sbin/checkrad^Mmain: proxy_requests = yes^Mproxy: retry_delay = 5^Mproxy: retry_count = 3^Mproxy: synchronous = no^M
proxy: default_fallback = yes^Mproxy: dead_time = 120^Mproxy: post_proxy_authorize = no^Mproxy: wake_all_if_all_dead = no^Msecurity: max_attributes = 20^Msecurity: reject_delay = 2^Msecurity: status_server = no^M
main: debug_level = 0^Mread_config_files: reading dictionary^Mread_config_files: reading naslist^MUsing deprecated naslist file. Support for this will go away soon.^Mread_config_files: reading clients^M
read_config_files: reading realms^Mradiusd: entering modules setup^MModule: Library search path is /usr/local/lib^MModule: Loaded expr ^MModule: Instantiated expr (expr) ^MModule: Loaded PAP ^M
pap: encryption_scheme = crypt^MModule: Instantiated pap (pap) ^MModule: Loaded DIGEST ^MModule: Instantiated digest (digest) ^MModule: Loaded eap ^Meap: default_eap_type = ttls^M
eap: timer_expire = 60^Meap: ignore_unknown_eap_types = no^Meap: cisco_accounting_username_bug = no^Mrlm_eap: Loaded and initialized type md5^Mrlm_eap: Loaded and initialized type leap^Mgtc: challenge = Password: ^M
gtc: auth_type = PAP^Mrlm_eap: Loaded and initialized type gtc^Mtls: rsa_key_exchange = yes^Mtls: dh_key_exchange = no^Mtls: rsa_key_length = 1024^Mtls: dh_key_length = 1024^Mtls: verify_depth = 2^M
tls: CA_path = (null)^Mtls: pem_file_type = yes^Mtls: private_key_file = /etc/freeradius/etc/certs/key2.pem^Mtls: certificate_file = /etc/freeradius/etc/certs/cert2.pem^M
tls: CA_file = /etc/freeradius/etc/certs/cacert.pem^Mtls: private_key_password = wimax i2 test certs^Mtls: dh_file = /etc/freeradius/etc/certs/dh^Mtls: random_file = /etc/freeradius/etc/certs/random^M
tls: fragment_size = 1024^Mtls: include_length = yes^Mtls: check_crl = no^Mtls: check_cert_cn = %{User-Name}^Mtls: cipher_list = (null)^Mtls: check_cert_issuer = (null)^M
rlm_eap_tls: Loading the certificate file as a chain^Mrlm_eap: Loaded and initialized type tls^Mttls: default_eap_type = mschapv2^Mttls: copy_request_to_tunnel = no^Mttls: use_tunneled_reply = no^M
rlm_eap: Loaded and initialized type ttls^Mpeap: default_eap_type = mschapv2^Mpeap: copy_request_to_tunnel = no^Mpeap: use_tunneled_reply = no^Mpeap: proxy_tunneled_request_as_eap = yes^M
rlm_eap: Loaded and initialized type peap^Mmschapv2: with_ntdomain_hack = no^Mrlm_eap: Loaded and initialized type mschapv2^MModule: Instantiated eap (eap) ^MModule: Loaded MS-CHAP ^Mmschap: use_mppe = yes^M
mschap: require_encryption = no^Mmschap: require_strong = yes^Mmschap: with_ntdomain_hack = no^Mmschap: passwd = (null)^Mmschap: ntlm_auth = (null)^MModule: Instantiated mschap (mschap) ^M
Module: Loaded preprocess ^Mpreprocess: huntgroups = /usr/local/etc/raddb/huntgroups^Mpreprocess: hints = /usr/local/etc/raddb/hints^Mpreprocess: with_ascend_hack = no^Mpreprocess: ascend_channels_per_line = 23^M
preprocess: with_ntdomain_hack = no^Mpreprocess: with_specialix_jetstream_hack = no^Mpreprocess: with_cisco_vsa_hack = no^Mpreprocess: with_alvarion_vsa_hack = no^MModule: Instantiated preprocess (preprocess) ^M
Module: Loaded detail ^Mdetail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d^Mdetail: detailperm = 384^Mdetail: dirperm =
Re: EAP-TTLS problem at phase 1
Hi, ok, i played around a bit and found EAP-TTLS working with no particular problems. On 10/21/06, Rafiqul Ahsan [EMAIL PROTECTED] wrote: testuser User-Password := testuser looks ok, but I'm not absolutely sure about the quotation marks for the username, they are not needed in any case. the error was about no matching anonymous_identity, and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP. As you didn't show that error one cannot check for it's real cause. Everything else correctly configured you don't need that setting (and it might be actually wrong depending on circumstances). Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is anonymous_identity, and phase 2 user/passwd is testuser/testuser. I did take note. So, take an unaltered users file and just add your line as mentioned above. Something I found in your previous post led to an failure here. Use phase2=autheap=MSCHAPV2 instead of phase2=auth=MSCHAPV2 modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M That does look strange (and might indicate your real problem), if it still persists with the suggested changes it might be useful to dig further into that. Perhaps you could add another -x to the freeradius invocation to get timestamps on the logfile. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem at phase 1
Hello Hoercher, Please see below answers/questions (in red):ok, i played around a bit and found EAP-TTLS working with noparticular problems.On 10/21/06, Rafiqul Ahsan [EMAIL PROTECTED] wrote: testuser User-Password := testuserlooks ok, but I'm not absolutely sure about the quotation marks forthe username, they are not needed in any case. testuser User-Password :=testuser I will try with only above entry in users file the error was about no matching anonymous_identity, and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP. As you didn't show that error one cannot check for it's real cause.Everything else correctly configured you don't need that setting (andit might be actually wrong depending on circumstances). OK, I found some positings about username_identity_check disabling for user anonymous...here it is Quote I guess since somebody implemented this check, there must be some broken NASes out there... andthe attached patch fixes this situation. If user sets username_identity_check = no in eap section it will disable this check. The default for this setting is yes. Unquote So, now I have added this patch to files eap.c, rlm_eap.h, and rlm_eap.c, compiled. I will test it this on monday.I am expecting this patch will lead to pass this anonymous user check phase in radius server.I will post you the result on that. Please let me know if you are aware of this. Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is anonymous_identity, and phase 2 user/passwd is testuser/testuser.I did take note. So, take an unaltered users file and just add yourline as mentioned above.Something I found in your previous post led to an failure here. Usephase2=autheap=MSCHAPV2 instead ofphase2=auth=MSCHAPV2 Not sure where we configure this phase2=autheap=MSCHAPV2? Are we at phase 2 yet ? I thought we have not passed the phase 1..can you pls clarify ? modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^MThat does look strange (and might indicate your real problem), if itstill persists with the suggested changes it might be useful to digfurther into that. Perhaps you could add another -x to the freeradius invocation to get timestamps on the logfile. I will test with the above patch - and see if we can pass the anonymous identity check problem. If persists - I will recompile with original files mentioned above, and test again to give you the full debug logs. Thanks Rafi regardsK. Hoercher-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS problem at phase 1
Hi all,
I have been trying to figure this out for couple days, but could not get any clue. My test is about authentication with EAP-TTLS/MSCHAPV2.
I am using freeradius v - 1.1.3, on Solaris 10.
No matter what I do, I get rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request at the server.
Anybody can help me what went wrong ? Here is my configs..and logs (truncated)
Awaits some solution...
Rafi
Here is my eap.conf
eap { default_eap_type = ttls
timer_expire = 60 ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 { }
leap { }
gtc { auth_type = PAP }
tls { rsa_key_exchange = yes dh_key_exchange = no rsa_key_length = 1024 dh_key_length = 1024 verify_depth = 2 pem_file_type = yes
private_key_password = wimax i2 test certs private_key_file = /etc/freeradius/etc/certs/key2.pem certificate_file = /etc/freeradius/etc/certs/cert2.pem CA_file = /etc/freeradius/etc/certs/cacert.pem
dh_file = /etc/freeradius/etc/certs/dh random_file = /etc/freeradius/etc/certs/random
fragment_size = 1024
include_length = yes
check_cert_cn = %{User-Name} }
ttls { default_eap_type = mschapv2
# copy_request_to_tunnel = no
# use_tunneled_reply = no }
peap { default_eap_type = mschapv2
# copy_request_to_tunnel = no # use_tunneled_reply = no
# proxy_tunneled_request_as_eap = yes }
mschapv2 { } }
Here is my users file :
testuser Auth-Type := EAP, User-Password := testuser
DEFAULT Auth-Type := EAP
Here is my supplicant config :
# cat supplicant.confctrl_interface=/var/tmp/supplicant.ctleap_trace=1enableWiMAXauth=1validateFNECerts=1checkCRL=1ignoreTimeOfDay=0update_config=0data_interface=/var/tmp/supplicant_data.ctl
ap_scan=0fast_reauth=1load_dynamic=/usr/lib/wpa_supplicant/eap_ttls.sonetwork={eap=TTLSeap_workaround=1anonymous_identity=anonymous_identityca_path=/var/tmp/truststore
ca_cert=/var/tmp/root.crtclient_cert=/var/tmp/cpe.crtprivate_key=/var/tmp/keyprivate_key_passwd=wimax i2 test certsphase2=auth=MSCHAPV2}
Here is the radius log (only shown the failed part)
rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module fastusers returns updated for request 1^Mmodcall: leaving group authorize (returns updated) for request 1^M
rad_check_password: Found Auth-Type EAP^Mauth: type EAP^M Processing the authenticate section of radiusd.conf^Mmodcall: entering group authenticate for request 1^M
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module eap returns invalid for request 1^Mmodcall: leaving group authenticate (returns invalid) for request 1^M
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and EAP-TTLS problem in my config
Hello, I need to authenticate users with EAP-TTLS but I do not want at hte same time users who has a certificate to being able to use it to authenticate themself. I have seen that to enable eap-ttls also eap-tls modue need to be configured in eap.conf everyhing works with EAP-TTLS, but users can authenticate with EAP-TLS also using a personal certificate. I want to forbid authentication via EAP-TLS with the certificate, and allow only EAP-TTLS how can I do it ? I Was not able to find a solution unless to list all the login name of the users in the users file, but this is not very scalable... I would like to do it with a DEFAULT stanza but was unable to achieve what I need thank you very much Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and EAP-TTLS problem in my config
Riccardo.Veraldi [EMAIL PROTECTED] wrote: I want to forbid authentication via EAP-TLS with the certificate, and allow only EAP-TTLS how can I do it ? Add this to the top of your users file (if your system follows the default configuration) #--- DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject #--- Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS problem
Hello, I'm using freeradius 1.0.2 with Red Hat Enterprise Server 3 and MySql. I have the following problem with EAP-TTLS: authentication is succesful using a Proxim 8470-WD a/b/g PCMCIA card, but fails with a Zyxel G-405 802.11g Wireless LAN Ethernet Adapter. I've checked both freeradius logs and the only difference I see is this: With the proxim card: - auth: type MSCHAP With Zyxel Adapter: --- auth: type System For your information, I include the complete freeradius log when using the Zyxel wireless adapter: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /var/ssl/certs/cert-srv.pem tls: certificate_file = /var/ssl/certs/cert-srv.pem tls: CA_file = /var/ssl/cacert.pem tls: private_key_password = whatever tls: dh_file = /var/ssl/certs/dh tls: random_file = /var/ssl/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no
Re: EAP-TTLS problem
Ignacio Siles [EMAIL PROTECTED] wrote: I've checked both freeradius logs and the only difference I see is this: With the proxim card: - auth: type MSCHAP With Zyxel Adapter: --- auth: type System So... Don't set Auth-Type = System. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
