Hi,
I've read documentation and not found responses for my problem.
I wonder if I correctly explain my request
I would like to use a cllient certificats and mschapV2 in the same
authentification in PEAP or TTLS
Use client certificats for create TLS tunel and after use mschapv2 for
authenticate
Vincent Guardiola wrote:
I've read documentation and not found responses for my problem.
It is documented.
I wonder if I correctly explain my request
I would like to use a cllient certificats and mschapV2 in the same
authentification in PEAP or TTLS
Use client certificats for create
Ok,
I don't understand why my config doenst work or maybe i've erroe on my
client, this my conf :
eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
Vincent Guardiola wrote:
Ok,
I don't understand why my config doenst work or maybe i've erroe on my
client, this my conf :
You've butchered the configuration.
Why?
The default configuration works. Use it.
Then, read the default eap.conf, which contains documentation
describing how
Hi all,
I have just one question about client certificats with EAP-TTLS or EAP-PEAP.
I would like use certificats client with authentication MSCHAPv2 it's
possible ?
It's possible to use client certificats for create TLS tunel and use
mschapv2 auth inside ?
In my test the authentication is
On 15/12/11 14:29, Vincent Guardiola wrote:
Hi all,
I have just one question about client certificats with EAP-TTLS or EAP-PEAP.
I would like use certificats client with authentication MSCHAPv2 it's
possible ?
Yes. This is documented in the eap.conf:
# You can make PEAP require a client
Humm yes, but with this i can use mschapv2 for authenticate or my
authentification will be used by client certificat ?
2011/12/15 Phil Mayers p.may...@imperial.ac.uk
On 15/12/11 14:29, Vincent Guardiola wrote:
Hi all,
I have just one question about client certificats with EAP-TTLS or
On 15/12/11 15:12, Vincent Guardiola wrote:
Humm yes, but with this i can use mschapv2 for authenticate or my
Yes.
authentification will be used by client certificat ?
No.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok I will try this :),
I don't use inner-tunnel file it's required or not ?, I just use file
sites-enable/default
2011/12/15 Phil Mayers p.may...@imperial.ac.uk
On 15/12/11 15:12, Vincent Guardiola wrote:
Humm yes, but with this i can use mschapv2 for authenticate or my
Yes.
On 15/12/11 16:14, Vincent Guardiola wrote:
Ok I will try this :),
I don't use inner-tunnel file it's required or not ?, I just use file
sites-enable/default
Not sure. Try it.
I would always advise using inner-tunnel; it makes a lot of logical
sense to have the PEAP inner processed
Vincent Guardiola wrote:
Ok I will try this :),
I don't use inner-tunnel file it's required or not ?, I just use file
sites-enable/default
Please read the documentation and examples that come with the server.
It's MUCH nicer than asking questions which are already answered.
Alan
I would have done this ages ago if I knew where to find a more comprehensive
manual explaining it all, rather than relying on bits of info scattered in
thousand different places. The freeRADIUS wiki isn't terribly helpful either
- this -
Arran Cudbard-Bell a.cudba...@freeradius.org writes:
The wiki does NOT require you to login to view content, that's the
whole point of the new wiki. You're trying to access a page that
doesn't exist. If you had even bothered to read the URL you'd have
seen that it contained the word create,
Mr Dash Four wrote:
In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS?
If you're going to be an idiot, you can be unsubscribed from this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mr Dash Four wrote:
Networks, no matter how secure, can be compromised. As I pointed out
previously - one can never be too careful.
You're not smart if you regurgitate trite phrases.
You're smart if you spend the time to understand what you're talking
about.
You haven't done that.
On 11/27/2011 12:51 AM, Mr Dash Four wrote:
No, the shared secret is not transmitted over the wire.
For additinal information see RFC2865, §2:
When a password is present, it is hidden using a method based on the
RSA Message Digest Algorithm MD5. (see RFC131).
MD5 is broken.
Thanks for the
Phil Mayers wrote:
Thanks for the public service announcement. Do you seriously think
And we stop there.
He didn't.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the wireless client, right? If so, this is
No. WAP == Wireless Access Point.
indeed the case - the client will be a Linux-based device with
wpa_supplicant and a driver which supports nl80211/cfg80211, so I can
configure - at least on the client's part - EAP-TTLS/EAP-TLS
authentication. My aim
On 27 Nov 2011, at 00:40, Mr Dash Four wrote:
In other words, EAP-TTLS/EAP-TLS isn't actually supported in
freeRADIUS?
It is. I believe you misunderstood how RADIUS works.
Maybe, considering I've been reading about RADIUS for just over 2 days...
Why don't you try reading about
Hi,
Firstly, all radius packets carrying EAP MUST carry a
snip
thanks Phil for this concise overview..however
Is the shared secret ideal? No. Is RADSEC better? Yes. Do any NAS
vendors support it? No. Can we afford to stop using RADIUS? No.
LANCOM do
eg
Am 27.11.2011 10:17, schrieb Phil Mayers:
On 11/27/2011 12:51 AM, Mr Dash Four wrote:
No, the shared secret is not transmitted over the wire.
For additinal information see RFC2865, §2:
When a password is present, it is hidden using a method based on the
RSA Message Digest Algorithm MD5.
Andreas Rudat wrote:
but I understand it correctly, the shared_secret is just using as
trusted AP password?
No.
Read the RFCs to understand what the shared secret does. Or read the
RADIUS Wikipedia page.
It's what we did.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS?
If you're going to be an idiot, you can be unsubscribed from this list.
It takes one to know one. I'd stop acting DeCock if I were you though.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
Networks, no matter how secure, can be compromised. As I pointed out
previously - one can never be too careful.
You're not smart if you regurgitate trite phrases.
And you are not smart either when you start throwing insults around.
You're smart if you spend the time to
MD5 is broken.
Thanks for the public service announcement.
Pleasure!
Do you seriously think the IETF, and the people responsible for RADIUS
protocol evolution, aren't aware of this?
Seriously, what would you like us to do exactly? Travel back in time
to the mid 1990s and re-do the first
No. WAP == Wireless Access Point.
Noted, thanks.
indeed the case - the client will be a Linux-based device with
wpa_supplicant and a driver which supports nl80211/cfg80211, so I can
configure - at least on the client's part - EAP-TTLS/EAP-TLS
authentication. My aim is to do the same on AP
.
You think the RADSEC guys are going to mess with it just because it's used for
transporting RADIUS packets?
Where did I said or implied that? Touche!
OK, my understanding of EAP-TTLS/EAP-TLS is that the authentication happens in
two distinct stages: the first stage (EAP-TTLS) is the outer
Mr Dash Four wrote:
It takes one to know one. I'd stop acting DeCock if I were you though.
Congratulations. You've been unsubscribed.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
You haven't done that.
You're smart if you spend the time to understand what you're talking
I know what I am talking about. When there is something I don't know,
however - I ask, politely, and expect the same from others (that
doesn't include you, apparently).
I think what Alan
Stefan Winter wrote:
I think what Alan was trying to point out is that
He's been unsubscribed from the list.
It's OK to not understand RADIUS. It's OK to ask questions. It's OK
to ask for help. That's what the list is for.
It's *not* OK to say I've only been doing RADIUS for 2 days,
-MD5, EAP-TLS). (line 78). Is that so?
As for the actual EAP-TTLS/EAP-TLS authentication process I have another
query - my understanding of the theory behind this method is that the
authentication/authorisation process is done in two distinct phases -
outer and inner authentication. This also
) distributed with the source code (I
am using 2.1.12) states that Currently Freeradius supports only 2
EAP-Types (EAP-MD5, EAP-TLS). (line 78). Is that so?
As for the actual EAP-TTLS/EAP-TLS authentication process I have
another query - my understanding of the theory behind this method
of password or shared secret specified.
so it is, you can only protect your AP client with the shared secret key.
In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
) - it seems that
freeRADIUS always needs some sort of password or shared secret
specified.
so it is, you can only protect your AP client with the shared secret
key.
In other words, EAP-TTLS/EAP-TLS isn't actually supported in
freeRADIUS?
It is. I believe you misunderstood how RADIUS works
Sven Hartge s...@svenhartge.de wrote:
Yes, this is kind of weak. And because of this weakness a protocol like
RADsec has been developed, which is essentially
RADIUS-with-SSL-over-TCP, thus providing strong encryption of the whole
RADIUS session.
Addition: The first FreeRADIUS version to
On 11/26/2011 04:32 PM, Andreas Rudat wrote:
so it is, you can only protect your AP client with the shared secret key.
Not necessarily. If the switch to which the WAP is connected supports
802.1x, it could act as a NAS and authenticate the WAP with EAP/TLS.
--
In other words, EAP-TTLS/EAP-TLS isn't actually supported in
freeRADIUS?
It is. I believe you misunderstood how RADIUS works.
Maybe, considering I've been reading about RADIUS for just over 2 days...
The connection between the AP (called NAS in RADIUS) and the
RADIUS-Server is only
Addition: The first FreeRADIUS version to include native RADsec support
will be 3.0. To use it with a version below that, you usually proxy your
normal RADIUS request through a software like radsecproxy.
Very interesting indeed. How about tunnelling (via ssh for example) - is
that a similar
, this is
indeed the case - the client will be a Linux-based device with
wpa_supplicant and a driver which supports nl80211/cfg80211, so I can
configure - at least on the client's part - EAP-TTLS/EAP-TLS
authentication. My aim is to do the same on AP and RADIUS, which is the
point of actually starting
Mr Dash Four mr.dash.f...@googlemail.com wrote:
In other words, EAP-TTLS/EAP-TLS isn't actually supported in
freeRADIUS?
It is. I believe you misunderstood how RADIUS works.
Maybe, considering I've been reading about RADIUS for just over 2 days...
The connection between the AP (called
Mr Dash Four mr.dash.f...@googlemail.com wrote:
Addition: The first FreeRADIUS version to include native RADsec
support will be 3.0. To use it with a version below that, you usually
proxy your normal RADIUS request through a software like radsecproxy.
Very interesting indeed. How about
the following parameters with regards to
EAP-TTLS/EAP-TLS:
proto=WPA2
key_mgmt=WPA-EAP
auth_alg=OPEN
eap=TTLS
# Phase 1 / outer authentication
ca_cert=/etc/cert/ca_p1.pem
subject_match=/C=US/ST=CA/L=San Francisco/CN=Test
AS/emailAddress=ap_ser...@example.com
altsubject_match=EMAIL:ap_ser
Well, if you cannot trust your own internal network, then you have other
problems than securing your RADIUS authentication.
Networks, no matter how secure, can be compromised. As I pointed out
previously - one can never be too careful.
-
List info/subscribe/unsubscribe? See
[EMAIL PROTECTED] wrote:
is it possible to configure multiple eap methods that must all be
executed for a user?
That will require source code changes.
Currently, I just managed to do either EAP-MD5 or EAP-TNC inside the
TTLS tunnel, not both. I see no option in the config files where
Hi,
is it possible to configure multiple eap methods that must all be
executed for a user?
I.e., I am thinking of something like:
- establish a TTLS tunnel
- do EAP-MD5 for user authentication
- do EAP-TNC for platform authentication
Currently, I just managed to do either EAP-MD5 or EAP-TNC
PROTECTED]
Subject: Re: EAP-TTLS-EAP-*
Tom Rixom [EMAIL PROTECTED] wrote:
Put it together into a 4 byte sequence and you can see the=20
incorrect padding. It should be 1:
Ok. The problem is a simple one, I think:
/*
* Align the data to a multiple of 4 bytes
, 2004 5:11 PM
To: [EMAIL PROTECTED]
Subject: Re: EAP-TTLS-EAP-*
Tom Rixom [EMAIL PROTECTED] wrote:
I am using a debugged version of our SecureW2 Client v2.0.0 and I am
seeing the double EAP-Mesage just after decryption so that means it
must have been sent by the FreeRadius server. Even
Tom Rixom [EMAIL PROTECTED] wrote:
Put it together into a 4 byte sequence and you can see the=20
incorrect padding. It should be 1:
Ok. The problem is a simple one, I think:
/*
* Align the data to a multiple of 4 bytes.
*/
if ((total 0x03) != 0) {
, 2004 1:16 AM
To: [EMAIL PROTECTED]
Subject: Re: EAP-TTLS-EAP-*
Tom Rixom [EMAIL PROTECTED] wrote:
Thanks! Did you change the RLM_MODULE_HANDLED to PW_CHALLENGE in
rlm_eap_ttls.c?
A little more than that, but pretty much.
Are you familiar with the TLS protocol
Rixom
Sent: Monday, March 08, 2004 9:23 AM
To: [EMAIL PROTECTED]
Subject: RE: EAP-TTLS-EAP-*
Hi Alan,
I got EAP-TLS-EAP-MSCHAPV2 working but I had to tweak
SecureW2 a bit for FreeRadius.
I had a closer look and this is what I came up with (With
help of the -Xxx
PROTECTED]
Sent: Monday, March 08, 2004 9:22 AM
Subject: RE: EAP-TTLS-EAP-*
Hi Alan,
I got EAP-TLS-EAP-MSCHAPV2 working but I had to tweak SecureW2 a bit for
FreeRadius.
I had a closer look and this is what I came up with (With help of the -Xxx
;)):
this is the log file of FreeRadius:
Mon Mar 8
Ok,
Completely forget all the stuff I just said about the extra 0's as
I am an idiot that forgot about the 4 octect boundary of Diameter AVPs...
Tom.
-Original Message-
From: Tom Rixom
Sent: Monday, March 08, 2004 9:26 AM
To: [EMAIL PROTECTED]
Subject: RE: EAP-TTLS-EAP
as specified by the RFC the last 2 00 00 are incorrect.
Regards,
Tom.
-Original Message-
From: Tom Rixom
Sent: Monday, March 08, 2004 11:16 AM
To: [EMAIL PROTECTED]
Subject: RE: EAP-TTLS-EAP-*
Ok,
Completely forget all the stuff I just said about the extra 0's as
I am
Tom Rixom [EMAIL PROTECTED] wrote:
I checked and the AVP Diameter padding in the last MSCHAPV2 packet is =
incorrect.
That's bad. Very bad.
As you can see if you split the Diameter message up into sequences of 4 =
bytes as specified by the RFC the last 2 00 00 are incorrect.
What's
[mailto:[EMAIL PROTECTED]
Sent: Monday, March 08, 2004 10:58 PM
To: [EMAIL PROTECTED]
Subject: Re: EAP-TTLS-EAP-*
Tom Rixom [EMAIL PROTECTED] wrote:
I checked and the AVP Diameter padding in the last MSCHAPV2
packet is =
incorrect.
That's bad. Very bad.
As you can see if you split
DeKok [mailto:[EMAIL PROTECTED]
Sent: Friday, March 05, 2004 7:31 PM
To: [EMAIL PROTECTED]
Subject: Re: EAP-TTLS-EAP-*
Tom Rixom [EMAIL PROTECTED] wrote:
- The EAP-TTLS module looks at the Access-Challenge and
generates a =
RLM_MODULE_HANDLED return code
- The EAP-TTLS module looks
Tom Rixom [EMAIL PROTECTED] wrote:
Thanks! Did you change the RLM_MODULE_HANDLED to PW_CHALLENGE in
rlm_eap_ttls.c?
A little more than that, but pretty much.
Are you familiar with the TLS protocol?
Unfortunately, yes.
Because as that did the trick for EAP-MD5, EAP-MSCHAPV2 still screws
Howdie,
I am trying to get EAP-TTLS-EAP-* working... but I keep running into the
following with any EAP type within EAP-TTLS.
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes
-Original Message-
From: Tom Rixom
Sent: Friday, March 05, 2004 11:22 AM
To: Freeradius-Users (E-mail)
Subject: EAP-TTLS-EAP-*
Howdie,
I am trying to get EAP-TTLS-EAP-* working... but I keep
running into the
following with any EAP type within EAP-TTLS.
rlm_eap_tls: Length
to know is if I correct in stating that INNER EAP for TTLS is not
fully functional in freeradius yet?
Regards,
Tom Rixom
-Original Message-
From: Tom Rixom
Sent: Friday, March 05, 2004 1:36 PM
To: [EMAIL PROTECTED]
Subject: RE: EAP-TTLS-EAP-*
Ok,
I have had a look at the code
Tom Rixom [EMAIL PROTECTED] wrote:
I am trying to get EAP-TTLS-EAP-* working... but I keep running into the
following with any EAP type within EAP-TTLS.
...
I took a quick look at the EAP-TTLS module, and discovered some
curious things. I think I've fixed them, so if you could grab
Tom Rixom [EMAIL PROTECTED] wrote:
- The EAP-TTLS module looks at the Access-Challenge and generates a =
RLM_MODULE_HANDLED return code
- The EAP-TTLS module looks at the return code, and because =
RLM_MODULE_HANDLED is not handled=20
it generates an error and the authentication fails...
62 matches
Mail list logo
