SOLVED - Re: xp sp3 and freeradius 2.0.5
Hello. Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX. BUT, 5500 is not working, the characteristics of this switch are: 5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3 This firmware versión is the latest available as today, and doesn't have the option to disable handshake, so it doesn't work at all, for any soul out there trying to make this switch work, help me out to ask 3COM to correct their software and allow to disable handshake as 4500's do.. Best regards, to all of you, this software and this list rocks!!! Oxiel El Vie 08 Ago 2008, Lech Karol Pawłaszek escribió: Arran Cudbard-Bell wrote: I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Yup. It's me who had this problem. Actually my switches are from 4500 family and Oxiel's are 5500 however those families are kind of similar. Oxiel: use the newest available firmware for your switches (the one from 12th of May) - namely 3.03.1. Then disable handshake (dis)funcion. 5500 system-view [5500] undo dot1x handshake enable And - because I've found another bug - you'll have to use port based authentication method instead of the default mac based [5500] dot1x port-method portbased If you will have any further questions - feel free to ask. Kind regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SOLVED - Re: xp sp3 and freeradius 2.0.5
On 2008-08-11 15:10, Oxiel Contreras wrote: Hello. Hello, Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX. BUT, 5500 is not working, the characteristics of this switch are: 5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3 This firmware versión is the latest available as today, No, it is not: http://www.3com.com/products/en_US/result.jsp?selected=6sort=effdtsku=3CR17250-91order=desc FilenameRelease DateVersion File Size s4c03_03_01s168.exe 01 Apr 2008 3.03.01 12.77 MB 3CR17254-91 is only a chassis. Best regards, Krzysztof Olędzki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Arran Cudbard-Bell wrote: I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Yup. It's me who had this problem. Actually my switches are from 4500 family and Oxiel's are 5500 however those families are kind of similar. Oxiel: use the newest available firmware for your switches (the one from 12th of May) - namely 3.03.1. Then disable handshake (dis)funcion. 5500 system-view [5500] undo dot1x handshake enable And - because I've found another bug - you'll have to use port based authentication method instead of the default mac based [5500] dot1x port-method portbased If you will have any further questions - feel free to ask. Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Hello Ivan. While negotiating, XP SP3 and switch shows this traffic: [1 User-name ] [26] [host/pccen115.cosmart.bo] [32 NAS-Identifier ] [14] [001cc5363882] [5 NAS-Port] [6 ] [268439553] [87 NAS_Port_Id ] [34] [unit=1;subslot=0;port=1;vlanid=1] [61 NAS-Port-Type ] [6 ] [15] [31 Caller-ID ] [16] [303030352D356437622D38643561] *0.40057968 5500G-EI RDS/8/DEBUG:- 1 - [40 Acct-Status-Type] [6 ] [2] [45 Acct-Authentic ] [6 ] [1] [44 Acct-Session-Id ] [15] [110500011106f] [4 NAS-IP-Address ] [6 ] [192.168.100.245] [55 Event-Timestamp ] [6 ] [1104577657] [3com-26 Connect_ID ] [6 ] [35] *0.40057969 5500G-EI RDS/8/DEBUG:- 1 - [3com-29 Input_Peak_Rate ] [6 ] [0] [3com-2 Input_Average_Rate ] [6 ] [0] [3com-4 Output_Peak_Rate ] [6 ] [0] [3com-5 Output_Average_Rate ] [6 ] [0] [3com-22 Priority ] [6 ] [0] [3com-60 Ip-Host-Addr ] [27] [0.0.0.0 00:05:5d:7b:8d:5a] *0.40057969 5500G-EI RDS/8/DEBUG:- 1 - [46 Acct-Session-Time ] [6 ] [97] [41 Acct-Delay-Time ] [6 ] [0] [42 Acct-Input-Octets ] [6 ] [93000] [47 Acct-Input-Packets ] [6 ] [352] [43 Acct-Output-Octets ] [6 ] [126726] [48 Acct-Output-Packets ] [6 ] [698] *0.40057970 5500G-EI RDS/8/DEBUG:- 1 - [52 Acct_Input_Gigawords] [6 ] [0] [53 Acct_Output_Gigawords ] [6 ] [0] [49 Terminate-Cause ] [6 ] [2] I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Regards. Oxiel El Martes 08 Jul 2008, Ivan Kalik escribió: As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Certificates are fine, radius server is fine. Your NAS is dropping the connection. Debug the NAS and see what is it complaining about. It's quite normal for Windows domain access to authenticate machine first and user later, once machine is on the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Hello Alan. further to previous post - your log shows several WARNING entries - fix those. Yes, fixed with eap.conf indications. finally, read eap.conf - especially the part about Windows systems not responding to EAP challenges...which is what your log looks like I've read it again, this time consciously, but i think is already there, maybe i'm loosing something, please correct me; as i know, sp3 already brings the patch needed with sp2. As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Other things that made me doubt was the username received by fr, most of the time is the machine name: host/caja02.cosmart.bo, instead of the domain username: COSMART\\jat, so as Tom pointed in previous email, i'm using wired configuration service on windows services, i'm not doing wireless at all, so disabled MPPE keys, put use_mppe = no on mschap module, but it continues to appear messages like these with radiusd -X MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 Last i will regenerate the certs with the new way, sorry i stayed with 1.X long ago and recently upgraded to 2.0.5, what i did was to copy the certs directory from my previous working setup, guess there's something different. I'll let you know as soon as possible. Best regards. Oxiel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Certificates are fine, radius server is fine. Your NAS is dropping the connection. Debug the NAS and see what is it complaining about. It's quite normal for Windows domain access to authenticate machine first and user later, once machine is on the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: xp sp3 and freeradius 2.0.5
I'm seeing the same problems with Vista devices:
Sending Access-Accept of id 12 to 131.202.9.32 port 2048
User-Name = u3t98
Tunnel-Private-Group-Id:0 = Academic
Tunnel-Type:0 = VLAN
MS-MPPE-Recv-Key =
0xce1ea72659c68cceba45498192e03bbb73292f9cdc314bbdea6e5ede0302b86a
MS-MPPE-Send-Key =
0xe2cafe2564df85dd04dddb4816c00c8afeea831cbbdb444b45789625771f6c9c
EAP-Message = 0x03180004
Message-Authenticator = 0x
Even though I have MPPE disabled in FR:
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no
use_mppe = no
Thoughts?
Matt Ashfield
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of SecureW2 (List)
Sent: Monday, July 07, 2008 10:58 AM
To: 'FreeRadius users mailing list'
Subject: RE: xp sp3 and freeradius 2.0.5
Dear Oxiel,
Are you using wired or wireless 802.1x?
I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when
the MPPE keys are being sent by the RADIUS server (which are not used in
(most) wired 802.1X setups):
Sending Access-Accept of id 8 to 192.168.100.245 port 5001
User-Name = host/caja02.cosmart.bo
MS-MPPE-Recv-Key =
0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9
MS-MPPE-Send-Key =
0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480
EAP-Message = 0x03090004
Message-Authenticator = 0x
If you are using wired try disabling the MPPE keys in Freeradius.
Regards,
Tom
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Namens Ivan Kalik
Verzonden: maandag 7 juli 2008 15:32
Aan: freeradius-users@lists.freeradius.org
Onderwerp: Re: xp sp3 and freeradius 2.0.5
Has anybody achieved to authenticate xp sp3 with default 802.1x client to
freeradius ?
You!
Sending Access-Accept of id 8 to 192.168.100.245 port 5001
User-Name = host/caja02.cosmart.bo
MS-MPPE-Recv-Key =
0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9
MS-MPPE-Send-Key =
0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480
EAP-Message = 0x03090004
Message-Authenticator = 0x
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
xp sp3 and freeradius 2.0.5
Hello Gurus.
Apologies if this mail arrives twice, the first time i did send it (05/Jul/08),
nothing showed on the list nor the archive.
I'm new to freeradius 2.0.5, compiled it from sources and installed on CentOS
v5.0, xp sp2 clients authenticate without problems with PEAP, but xp sp3 don't.
I've searched the entire list, but none reference to xp sp3.
Has anybody achieved to authenticate xp sp3 with default 802.1x client to
freeradius ? Haven't yet tried Vista, but suspect will have the same
problem.
This is the log:
Best regards.
Oxiel
[EMAIL PROTECTED] ~]# radiusd -X
FreeRADIUS Version 2.0.5, for host x86_64-redhat-linux-gnu, built on Jul 5
2008 at 10:14:20
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 192.168.100.245 {
require_message_authenticator = no
secret = secreto
shortname = 192.168.100.245
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
Re: xp sp3 and freeradius 2.0.5
hi, we use FR 2.0.5 (and have used .09 through to the current version too. Vista was supported with 1.1.4 upwards. we've had no issues (so far!) with XP SP3 or Vista systems on 2.0.5 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
hi, further to previous post - your log shows several WARNING entries - fix those. finally, read eap.conf - especially the part about Windows systems not responding to EAP challenges...which is what your log looks like alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: xp sp3 and freeradius 2.0.5
Dear Oxiel, Are you using wired or wireless 802.1x? I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when the MPPE keys are being sent by the RADIUS server (which are not used in (most) wired 802.1X setups): Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = host/caja02.cosmart.bo MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x If you are using wired try disabling the MPPE keys in Freeradius. Regards, Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Ivan Kalik Verzonden: maandag 7 juli 2008 15:32 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: xp sp3 and freeradius 2.0.5 Has anybody achieved to authenticate xp sp3 with default 802.1x client to freeradius ? You! Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = host/caja02.cosmart.bo MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
