patch provided by
<[EMAIL PROTECTED]> & <[EMAIL PROTECTED]> for key generation,
with the subject EAP-TLS key generation on June 20th in user list archive.
If possible, test that patch and let us know your experience.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does that mean that you are also including the
>patch? The description above is kind of meaningless without the code.
>
>
I am willing to apply the patch.
As I donot have any resources to test your patch,
I would appreciate if some one on this list can test your patch
and let us know their
ot already done that).
>
>EAPOL-Key messages may or may not become deprecated (I haven't seen
>any indications of the latter, but I don't have access to TgI internal
>documents/discussions) however that is a non-issue for the Authentication
>Server since the EAPOL-Key messages are exchanged from AP to STA.
>
My question is, if EAPOL-Key messages are to be deprecated then the
purpose/advantage of your patch is lost, as the Secret sharing between
AS & AP is no longer required.
What is your opinion?
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Henrik Eriksson wrote:
>>From: Raghu [mailto:[EMAIL PROTECTED]]
>>Sent: Tuesday, July 09, 2002 7:35 PM
>>
>>
>>If you have already tested it I would like to take your point.
>>If I got your point right then,
>>
>>1. Authentication server
n last month and I might have missed many mails.
I just got your patch from the archives.
Your patch looks good to me except for use of VSA (MS-MPPE-...).
I am still not sure, if the supplicant is linux based and cisco AP is used,
What Radius attributes should be used for these key sharing?
Ple
> Has the level of support for EAP changed in 0.6 from what there was iin 0.5
> It still doesn't support cisco LEAP correct ?
Only MD5 and TLS are supported. LEAP is not supported.
I am not sure, if anyone is currently working on it.
-Raghu
-
List info/subscribe/unsubscrib
e eap_tls code. I suspect it's because of my
misuse of OPENSSL libraries, but I have no proof yet.
ACKNOWLEDGEMENTS
Primary author - Raghu <[EMAIL PROTECTED]>
hould take care of proxying.
Infact, Freeradius can also handle EAP-Start
Requests with the above configuration.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
s is User-Name attribute is created
from EAP-Identity response, if it is not present.
The other modules should take care of proxying.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
erver -> ap: Access Reject(3) (id=12)
>
> then a sequence of ignored requests follows:
> ap -> server: Access Request(1) (id=13)
>
> As you know, the second Request is interpreted as a Notification message
> causing the reject...
>
> Which data would be interesting?
>
RADIUS/EAP data
1. with your old configuration
2. with Auth-Type := EAP
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
le. It's called 'system' for historical reasons.
>
> Why would i do Auth-Type := System for EAP/MD5 then??? That's what Raghu
> said I should do.
> What does Local mean then? "files"?
>
No.
What I meant is,
Your user file configuration was
>
est to see if it would make a
> > difference, but clearly it didn't.
>
> well, that's what i thought. but since my EAP didn't work, they all
> (Alan, Raghu) have proposed to use Auth-Type := System instead. so, it
> seems to be the vice versa?
>
To avoid furthe
tty new to the Unix world, so I could very easily have missed something.
>
> I am running FreeRadius CVS snapshot from 5/20/2002 on Red Hat 7.1.
>
> If anyone has any ideas, they would be greatly appreciated.
>
Try,
ldd /path/rlm_eap_tls.so
It might give you some clue about missing libraries.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
gt; into the REQUEST->config_items VALUE_PAIR.
>
> Yes, evidently the password is not given to the module for validation...
>
It looks like a configuration issue.
If you can post your Users file, radiusd.conf and the corresponding
logs,
It would certaily help us to locate the problem.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ike that:
>
> authorize {
> preprocess
> eap
> suffix
> files
> }
>
or try eap as the last one in the above authorize block.
> authenticate {
> eap
> }
>
> any idea where this comes from?
The problem is that the configured User-Password is never picked
into the REQUEST->config_items VALUE_PAIR.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chris Parker wrote:
>
> Yes, but that has far less support ( at the moment ) than IPSec and is
> still draft. :\
>
I think, for now EAP-TTLS does not have any added advantage over IPSec.
Just curious, how did you find that it has less support?
-Raghu
-
List info/subscribe/unsu
at.
Only after the successful handshake is done,
Radius attributes are passed,encrypted, to perform PAP, CHAP etc
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
gt; Again, can anyone help ?
In radiusd.conf
authorize {
ldap
eap
}
authenticate {
eap
}
In authorize block,
ldap should get the Configured password.
eap should set the authenticate type as EAP
In authenticate block,
eap authentication should take place.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
aymonds question, probably, is EAP-TTLS,
which is not currently supported in freeradius.
Anyway EAP-TTLS is still a draft and not an RFC.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
y appreciated .. thanks!
>
Which version of Freeradius are you running.
Grab the latest CVS snapshot, it should be fine.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sunil Chitnis wrote:
>
> Raghu,
> Thanks much for your prompt reply.
> Could you please also post the relevent config entries for user "raghu" to
> do EAP-MD5 authentication?
> I believe I have some missing config entries. I used the TLS
b2ec405f54c47455db43c219a
The problem is here.
Radius Server is sending Access-Challenge packet with State Attribute.
During the Challenge response, Your AP should send the same
State Attribute UN-MODIFIED.
Find out why your AP is truncating this Value.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
orth (including VSAs).
>
For EAP-TLS debug o/p check
http://www.missl.cs.umd.edu/~adam/802
Typical, EAP-MD5 debug o/p
rad_recv: Access-Request packet from host 192.168.1.225:1034, id=0,
length=119
User-Name = "raghu"
NAS-IP-Address = 192.20.100.1
Calle
ize returns updated
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate
> rlm_eap: Multiple EAP_Message attributes found
> rlm_eap: Request found, released from the list
> rlm_eap: EAP_TYPE - tls
> rlm_eap: processing
d ...
AP is sending Radius packets with EAP-Message.
So you cannot do 'System' authentication as there
no User-Password.
Configure Auth-Type := EAP for the user "test"
In radiusd.conf add 'eap' in authorize and authenticate
sections.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
keys working with freeradius ? ... Any pointers/help
> would be greatly appreciated !
>
Dynamic generation of WEP keys is not supported in FR.
Patches are welcome. I guess that will in a different module.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Wong wrote:
>
> can anybody verify if freeradius works with cisco's
> 350 series wireless access point? and if not, can
Yes. It works for me even for EAP-MD5 & EAP-TLS.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cb4b05b943d8a3c5
>
> ... And then no answer, XP client cannot connect to the network...
Strangely Access-Challenge is sending User-Password attribute.
Check your radius configuration. This should never happen.
I am not sure about Orinico AP-1000.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ne and I'll be glad to
>assist in the debugging.
>
Seg fault is already fixed.
Try to compile and run the freeradius from
the latest CVS snapshots and post your feedback.
--
(( ))
|
|.| HereUAre !!
|_| (( Raghu ))
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
@lists.cistron.nl/msg03808.html
--
(( ))
|
|.| HereUAre !!
|_| (( Raghu ))
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
of authentication over the network.
CHAP, EAP-MD5 are better but EAP-TLS is the best (IMHO).
--
(( ))
|
|.| HereUAre !!
|_| (( Raghu ))
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nting packets are missing in the logs you posted.
Probably that is the reason radacct directory is empty.
Make sure your NAS sends accounting packets.
(( ))
|
|.| HereUAre !!
|_| (( Raghu ))
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
at are currently supported by
Freeradius
1. EAP-MD5
2. EAP-TLS
The one which you tested is EAP-md5. It is just similar to CHAP
authentication.
It works only with PLAIN TEXT passwords.
So if you have plain text password stored in files, database or LDAP,
then it works.
EAP-TLS is Certificate base
lem,
Place more debugging statements in eap_compose() and send the output.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
request 0 ID 90 with timestamp 3c9a59dd
> Nothing to do. Sleeping until we see a request.
>
Server sent the Access-Challenge,
but never received any response from the AP.
Most likely some configuration issue at the AP/supplicant.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
en just sends only the User-Name to AP.
AP then forwards this to Radius Server,
Radius Server now sends EAP-Response with some random Challenge value.
Supplicant then sends the challenge-response using the User-Password.
See CHAP rfc1994 for details.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
got the chance to apply the patch I posted yesterday
& check it on Solaris ?
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Raghu wrote:
> So there is no way that Zero length EAP-packets are allowed.
>
> Probably, I am overlooking.
I am suspecting that it is something to do with Byte Ordering.
Please let me know if the following patch fixes the
problem or not, as I am not able to simulate the problem
e() & eap_wireformat() in eap.c
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
\261\364\344\323X5\230\260\310\352\256\
> Segmentation fault
Same problem is reported a week back.
We need to figure out why EAP-Length is 0
and still it frames the EAP-packet.
Since I am not able to reproduce the problem here on linux,
If you can debug the problem and let us know your findings,
toget
The problem now is that Your 3com AP MODIFIED the State Attribute
that Radius Server sent and replied.
For some reason it stripped off the last bytes.
Try to verify, why this is happening.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nk there is some misconfiguration either on your AP or client.
You might also want to check, what EAP-Types ( like EAP-MD5 ...)
are supported by your 3com client & AP.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in the
> past any help would be greatly appreciated.
Password is never sent over the wire in case of EAP.
Your 3com client is sending an EAP message to the 3com Access point(AP)
and
the AP is framing the RADIUS packet with EAP in it.
so Enabling EAP authentication in the RADIUS server will help you.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
s not a highly tested.
So It means Evaluate Yourself and share your experience.
Comments, feedback, bugs, patches... are welcome.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
uggested can you also verify that Nortel switch that you are
using is rfc 2869 compliant for Message Authenticator.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t shared secrets.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t the root cause of this problem.
If possible try to send all the info like logs, configurations,
OS etc
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
enticate for the LAN-connection. The Freeradius debug-ouput is the
>following:
Looks like a configuration problem.
Can you send the radiusd.conf.
>Freeradius sends about 40 EAP-Messages until it fails with a core dump.
Can you use GDB on the core and send the output.
-Raghu
-
List info/subs
Hi, does FreeRadius support usernames encoded in UTF-8 ? I would like
usernames such as j=F6rg and har=E4ld
to be authenticated. If yes, which version of FreeRadius should I =
download ?
Thanks,
Raghu Seshadri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, does FreeRadius support usernames encoded in UTF-8 ? I would like
usernames such as jörg and haräld
to be authenticated. If yes, which version of FreeRadius should I download ?
Thanks,
Raghu Seshadri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ap
> # radiusd.conf[383]: eap: Module instantiation
> # failed.
> # }
>
> }
Once you add the above subsection, this error message should
go off.
let me know if the problem still exists.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
age .. is it fully implemented ?
EAP module, as such is still not there in Freeradius to
perform authentications.
It should be comming soon, but I am not sure when.
-Raghu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ialogue about them, please post patches and messages to the list.
I agree. Only the good patches should be checked in
and not all the *crap* that I write.
I can re-start the work on EAP and send messages to the list.
If you can send in your comments, I am open to all your feedback
to redesign/restructu
these Requirements (ie rfc2869),
please send in your comments to freeradius, it helps
to make their way to CVS.
once these patches are checked in,
any of us can start impementing EAP (rfc2284)
-Raghu
Marko Myllynen wrote:
> Dear Raghu,
>
> I noticed from freeradius mailing lists that
54 matches
Mail list logo