Have you got some useful information about it?
Let me know, please.
Max
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Freeradius-PEAP-MSCHAPv2-against-Apple-OpenDirectory-tp2787113p4637821.html
Sent from the FreeRadius - User mailing list archive at Nabble.com
OpenLDAP do?
John.
--- 10年3月15日,周一, Alan DeKok al...@deployingradius.com 写道:
发件人: Alan DeKok al...@deployingradius.com
主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org
日期: 2010年3月15日,周一,下午12:59
John wrote
I attached the captured packets. Please open it with wireshark.
The password from OD is “”. It is neither cleartext password nor
encrypted password.
--- 10年3月18日,周四, John elmer_rad...@yahoo.com.cn 写道:
发件人: John elmer_rad...@yahoo.com.cn
主题: Re: Freeradius PEAP/MSCHAPv2 against Apple
Hello,
We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open Directory. I
found this option 'use_open_directory'. But looks we need to install freeRADIUS
on the same machine with Open
Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html
John wrote:
Hello,
We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open
Directory. I found this option 'use_open_directory'. But looks we need
to install freeRADIUS on the same machine with Open
Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February
Moritz Dereschkewitz wrote:
Wow, that sounds great. I haven't read about the use_open_directory
option yet. Do I have to configure the mschap-module to connect to the
OD, since Freeradius is not running on the Apple server? E.g. specify
the server adress? Or does it find the server
Hello List!
I got a
machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless
LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server
with Samba as the PDC. Samba stores the user information using the
OpenDirectory on the same server – using the NTLM
Moe D. wrote:
I got a machine up and running Freeradius 2.1.0 with SSL support to
secure a Wireless LAN. In our school’s network we (have to) use an Apple
Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user
information using the OpenDirectory on the same server – using the NTLM
Am 13.02.2010 08:21, schrieb Alan DeKok:
Moe D. wrote:
I got a machine up and running Freeradius 2.1.0 with SSL support to
secure a Wireless LAN. In our school’s network we (have to) use an Apple
Mac OS X 10.4 Server with Samba as the PDC. Samba stores the user
information using the
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is
more up-to-date than the CentOS Yum repositories apparently).
However, upon reading the documentation in modules/ldap, I see this:
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet
See:
http://deployingradius.com/documents/protocols/oracles.html
Ken
On Tue, Nov 18, 2008 at 01:29:48PM -0800, Tim Gustafson wrote:
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is
more up-to-date than the CentOS Yum repositories apparently).
However, upon
Tim Gustafson wrote:
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is
more up-to-date than the CentOS Yum repositories apparently).
However, upon reading the documentation in modules/ldap, I see this:
...
So, does this mean that you can't do MSCHAPv2 against an
On Nov 14 Tim Gustafson wrote:
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
The easiest way to install the latest FreeRADIUS on CentOS I know of is to
visit http://koji.fedoraproject.org/koji/packageinfo?packageID=298, find
the latest source RPM and rebuild it. It's a small
Hello,
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
I'm trying to figure out how to configure FreeRADIUS to authenticate against an
OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came
up with some things that were mildly helpful. Right now, I have
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
I'm trying to figure out how to configure FreeRADIUS to authenticate against
an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and
came up with some things that were mildly helpful. Right now, I have
FreeRADIUS
There is nothing to do. It's already active
in default configuration.
Really? Because the default config seems to want to use ntlm_auth to
authenticate mschapv2 users, which is a samba helper designed to authenticate a
user against a samba server, not an OpenLDAP server.
I'm thinking what I
There is nothing to do. It's already active
in default configuration.
Really? Because the default config seems to want to use ntlm_auth to
authenticate mschapv2 users, which is a samba helper designed to authenticate
a user against a samba server, not an OpenLDAP server.
ntlm_auth line is
made clear in any documentation.
And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP
server as opposed to text files or PAM?
I'm attaching my radiusd.conf to this e-mail, any comments would be greatly
appreciated. I stripped out all the comments and removed the modules
made clear in any documentation.
Yes, it needs clear text or NT hashed password. You can store plain text
in userPassword.
http://deployingradius.com/documents/protocols/compatibility.html
And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP
server as opposed to text
And so much more (peap is misconfigured, as is ldap,
mschap auth type is gone, there is nothing to get
the password from ...). That will not work.
I have fixed that; the copy that I sent you was indeed broken. I can now
authenticate using standard (non-MSCHAP) authentication against the LDAP
Tim Gustafson wrote:
I have fixed that; the copy that I sent you was indeed broken. I can now
authenticate using standard (non-MSCHAP) authentication against the LDAP
server. I haven't been able to get the radeapclient program working yet - it
keeps crashing with an error that apparently
Hi everyone,
I've just installed FreeRadius on my server. I need to authnticate
clients by using MSCHAPv2. I've followed this howto:
http://www.tldp.org/HOWTO/8021X-HOWTO/freeradius.html
But, when I run radiusd -X, it says that it need a certificate. I use
MSCHAPv2 as I don't want to have to
On Saturday 21 May 2005 08:11, Jonathan Delizy wrote:
Hi everyone,
I've just installed FreeRadius on my server. I need to authnticate
clients by using MSCHAPv2. I've followed this howto:
http://www.tldp.org/HOWTO/8021X-HOWTO/freeradius.html
But, when I run radiusd -X, it says that it need a
Hand, Chris [EMAIL PROTECTED] wrote:
I'm still not seeing it.
If it's listed in the authorize section, it will be printed out in
debugging mode.
Are you willing to provide debug logs?
Let's start over. What is the best way of authenticating users to an
NT domain over PEAP? Am I even on
Hand, Chris [EMAIL PROTECTED] wrote:
Yes, I am using the ntdomain realm. However, I do not see it show up in
the debugging output. Do I need to do anything other than list
ntdomain in the 'authorize' section to make freeradius use it?
If it's listed there, you should see it printed out in
AM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Yes, I am using the ntdomain realm. However, I do not see it show up
in
the debugging output. Do I need to do anything other than list
ntdomain
I am trying to set up 802.1x on our network and I would like the users
to be able to use their current Active Directory credentials.
I need the AD domain to be stripped from the username so that I can feed
it to ntlm_auth. I am using a Windows XP Pro client and Windows 2003
server.
Here is part
Did you cut and paste or type the lines from your config file? According
the the config file ntlm_auth has the argument '--challence', but the
debug output has the argument '--challenge'.
Hand, Chris wrote:
I am trying to set up 802.1x on our network and I would like the users
to be able to use
I retyped the config. That is a typo. It should be '--challenge'.
-Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Bender
Sent: Monday, August 23, 2004 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth
Hand, Chris [EMAIL PROTECTED] wrote:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge=3d66c96d9aa150e6
--nt-response=c97090b4f7aeeac3ea2a98e24daf1fdac43f626658cbe463
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Where's the username?
PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, August 23, 2004 4:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=MI
--username= --challenge
Hand, Chris [EMAIL PROTECTED] wrote:
Exactly... The username is not getting fed into ntlm_auth. It seems that
the stripping of the domain from the username is not working.
Are you using the ntdomain realm, as given in radiusd.conf?
Are you running it in debugging mode, to see that the
Of Alan
DeKok
Sent: Monday, August 23, 2004 5:19 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPv2 + ntlm_auth + Windows XP
client
Hand, Chris [EMAIL PROTECTED] wrote:
Exactly... The username is not getting fed into ntlm_auth. It seems
that
the stripping of the domain from
On Thu, May 27, 2004 at 09:36:18PM -0500, Michael Griego wrote:
Try the attached patch to the sha1.c file and see if that takes care of
the problem.
I've been working and coding on this all night, and I might have an answer.
Seems that endianess isn't an issue - more probably the SHA1 code and
On Thu, May 27, 2004 at 05:03:26PM -0400, Alan DeKok wrote:
You can then run it on two machines, use 'grep' to pull out the
MSCHAP lines from the debug log, and then use 'diff' to see where they
differ. This will let you track down where the problem occurs.
I've traced the bug down to SHA1
Dinko Korunic [EMAIL PROTECTED] wrote:
I've been working and coding on this all night, and I might have an answer.
Seems that endianess isn't an issue - more probably the SHA1 code and macros,
which confuse gcc (3.3, 2.95, etc.) on Alpha architecture.
Ah. That's why it works fine on
On Fri, May 28, 2004 at 05:05:04PM +0200, Dinko Korunic wrote:
void SHA1Final(uint8_t *out, void* ctx);
uint32_t rol(uint32_t value, uint32_t bits);
Doh. Sorry, I've missed that you've added SHA1FinalNoLen() as SHA1-M
implementation of FIPS 186-2 Appendix 3.3 in recent CVS sha1. Here's the
Dinko Korunic [EMAIL PROTECTED] wrote:
Here's the updated version - which is working well according to test
vectors I've got from your old code. I hope I didn't break EAP-SIM
:)
I've just commited an update to the existing SHA1 code. I realized
that I had hacked md4/md5, to use uint32_t
On Fri, May 28, 2004 at 01:08:26PM -0400, Alan DeKok wrote:
The new code passes my tests, and should pass yours, too.
Yeps, works. It looks a bit messy, though, but works for both padded and
unpadded outputs for test vectors.
Excellent, I'm glad that's fixed.
--
| |--..-. Dinko
On Wed, May 26, 2004 at 11:14:51PM +0200, Dinko Korunic wrote:
I've read this list archives throughly, and I've tried most of the stuff
people were reporting. Is there anything else I could check? Should I
try with NT-hashed passwords? Should I try with auth_ntlm to debug chap
responses?
I'm
Dinko Korunic [EMAIL PROTECTED] wrote:
Using the radauth (Java-based demo RADIUS client available from
http://www.axlradius.com), I've been able to narrow problem the already
described problem:
* auth types of PAP, CHAP, EAPMD5, MSCHAP (v1) work fine,
* auth type of MSCHAPv2 doesn't work.
On Thu, May 27, 2004 at 09:44:35AM -0400, Alan DeKok wrote:
Others are using MSCHAPv2 with the latest CVS snapshots. Are you
sure that the client is OK?
Unfortunately, I can confirm that I've been unsucessful with 4 different
Windows boxes using MSCHAPv2 which have been using Java RADIUS
On Thu, May 27, 2004 at 10:36:49AM -0400, Alan DeKok wrote:
I've tested with the latest CVS snapshot, using a copy of an
MS-CHAPv2 session I've had sitting around for months, and which was
taken from a non-FreeRADIUS client. It works for me.
Are you sure you're running the latest CVS
Dear Alan DeKok,
there is bug in MS-CHAPv2 if do_ntlm_auth configured:
/*
* Update the NT hash hash, from the NT key.
*/
if (hex2bin(buffer + 8, nthashhash, 16) != 16) {
Buffer
Dear Dinko Korunic,
--Thursday, May 27, 2004, 4:31:17 PM, you wrote to [EMAIL PROTECTED]:
DK User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP
DK 116.101.115.116], 0 x74657374
Look at Length carefully. It must be 4 bytes, not 6, probably it's a bug
of your client. Unlike
Dear Dinko Korunic,
--Thursday, May 27, 2004, 4:31:17 PM, you wrote to [EMAIL PROTECTED]:
DK NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C
DK 6991E
DK User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0
DK x74657374
DK How that
Dear 3APA3A,
--Thursday, May 27, 2004, 8:29:05 PM, you wrote to [EMAIL PROTECTED]:
3 Buffer hash nthash, additional md4() is required to get nthashhash from
3 nthash.
Typo. I mean buffer _has_ (contains) nthash, to convert nthash to
nthashhash additional MD4 is required.
--
~/ZARAZA
Dinko Korunic [EMAIL PROTECTED] wrote:
Are you sure you're running the latest CVS snapshot?
Yeps, taken from CVS these days:
Hmmm.. try:
User-Name = aland
MS-CHAP-Challenge = 0x06bc3119daab4d9bb26be8d3ae4d958b616c616e64
MS-CHAP2-Response =
Hello Dinko,
Wednesday, May 26, 2004, 11:14:51 PM, you wrote:
DK Hi. I've been using FreeRadius recent CVS version to authenticate
DK wireless Windows XP/2k users via EAP and Cisco AP1000 series. I've so
DK far suceeded in EAP/TLS and EAP/TTLS, as well as with non-EAP modules
DK (PAP and CHAP)
On Thu, May 27, 2004 at 01:55:52PM -0400, Alan DeKok wrote:
If that doesn't work, then I think there's something wrong with your
local install. Try it on another machine, and see if it's any
better.
I have, in fact. You're not going to like the answer - it seems that
current rlm_mschap
Dinko Korunic [EMAIL PROTECTED] wrote:
I have, in fact. You're not going to like the answer - it seems that
current rlm_mschap isn't endian-clean.
That's at least an explanation as to why it doesn't work.
Now that we know that, it's possible to track down the problem.
You can use the
On Thu, May 27, 2004 at 05:03:26PM -0400, Alan DeKok wrote:
Dinko Korunic [EMAIL PROTECTED] wrote:
You can then run it on two machines, use 'grep' to pull out the
MSCHAP lines from the debug log, and then use 'diff' to see where
they differ. This will let you track down where the
On Fri, May 28, 2004 at 02:34:48AM +0200, Dinko Korunic wrote:
As we can see, initial challenge calculation has gone wrong somewhere.. which
is happening in challenge_hash(), function whish is strictly using OpenSSL SHA1
functions. Doh. I thought at least OpenSSL should be endian-clean..
To
The SHA1 functions are implemented in src/lib/sha1.c
--Mike
On Thu, 2004-05-27 at 20:31, Dinko Korunic wrote:
On Fri, May 28, 2004 at 02:34:48AM +0200, Dinko Korunic wrote:
As we can see, initial challenge calculation has gone wrong somewhere.. which
is happening in challenge_hash(),
Looks like this might be an updated version of this file that handles
endian issues:
http://gtk-gnutella.sourceforge.net/tools/sha1/sha1.c
--Mike
On Thu, 2004-05-27 at 20:58, Michael Griego wrote:
The SHA1 functions are implemented in src/lib/sha1.c
--Mike
On Thu, 2004-05-27 at 20:31,
Try the attached patch to the sha1.c file and see if that takes care of
the problem.
--Mike
On Thu, 2004-05-27 at 20:31, Dinko Korunic wrote:
On Fri, May 28, 2004 at 02:34:48AM +0200, Dinko Korunic wrote:
As we can see, initial challenge calculation has gone wrong somewhere.. which
is
Hi. I've been using FreeRadius recent CVS version to authenticate
wireless Windows XP/2k users via EAP and Cisco AP1000 series. I've so
far suceeded in EAP/TLS and EAP/TTLS, as well as with non-EAP modules
(PAP and CHAP) just to test if it is all properly setup.
However, I'm failing with
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
Ok, but isn't the with_ntdomain_hack =3D yes directive in the
raidusd.conf file suppose to correct this behavior?
Theoretically, yes. But when you're calling ntlm_auth, the
with_ntdomain_hack isn't being used. Why would it? You're
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
To clarify things here, the --domain and --username arguments are right,
but the --challenge argument is incorrect.
Ah, OK.
The username being used in this function still contains the DOMAIN! This
is what is keeping the auth from working.
.
Brian D.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: Monday, May 03, 2004 1:07 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
I patched the rlm_mschap.c file (attached). I pulled code from
rlm_preprocess.c that handles the with_ntdomain_hack and modified it to
work.
Similar code already existed in rlm_mschap.c. The fix was 1 line.
The user_name argument being
Hello all,
We are in the process of testing 802.1x authentication for future
deployment on campus. Our test setup includes the following:
freeradius-snapshot-20040427 running on RHEL 3.0 AS
Configured for PEAP with MSCHAPv2 using SAMBA's winbind/ntlm_auth
Multiple AD domains (smb.conf points to
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
1. Keeping in mind that user1 in domain1 can auth as long
as domain1
isn't supplied why does supplying domain1 cause the auth to fail?
Because the MS client does the MS-CHAP calculations using
the username without the domain, but
63 matches
Mail list logo
