Hi,
I am facing some issues with 802.1x EAP-TLS Authentication.
Please suggest any document which can help in better understanding on TLS
Authentication.
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wrote:
Hi,
I am facing some issues with 802.1x EAP-TLS Authentication.
Please suggest any document which can help in better understanding on TLS
Authentication.
Thanks.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Best Regards
Muhammad Nadeem
Hi,
I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0.
EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it
doesn't.
Is there anything I'm missing? The problem appears to be that the client
doesn't send over the client cert. I know Windows is very fussy
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote:
I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0.
EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it
doesn't.
Hi.
make fragment_size in modules/inner-eap smaller then fragment_size
.
On 17 September 2013 08:46, Martin Kraus lists...@wujiman.net wrote:
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote:
I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0.
EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it
doesn't.
Hi
Hi All,
Just to let you all know I did get all my setup working (took me a while being
not a linux guru) but it does work as expected. Just in case anyone was
wondering :)
Many thanks all
Ken
:)
On 29 August 2013 at 16:05 ken.farrington ken.farring...@802.co.uk wrote:
Hi All,
Is there a
Hi All,
Is there a way if I had 10 clients in my home lab and all the certs expire
tomorrow, that rather than re-provide all the certs to my clients, I can frigg
the radius server time, to still accpet them.
Im guessing this is a no, but from what I see, the client cert is presented, and
check
, negotiate the encryption/signing algorithm(s) for the TLS record
protocol, and exchange the key information before switching to the selected
encryption/signing algorithm(s) for secure data transport. EAP-TLS however
seems focused on authorization and exchanging the key information, leaving
authenticate the server and optionally
the client, negotiate the encryption/signing algorithm(s) for the TLS record
protocol, and exchange the key information before switching to the selected
encryption/signing algorithm(s) for secure data transport. EAP-TLS however
seems focused on authorization
Just confirming that I've tested this in the past and it works, but I
believe the poster of the article is dubious about a production
environment. When I tried it on wifi it took a second or so more to
authenticate for some reason, so we eventually went with eap-tls instead
because
Thank you! The configuration in the link works. The key is setting
fragment_size correctly.
But I am confused about the two methods :
Is EAP PEAP/TLS = EAP PEAP/EAP-TLS ?
Or they are two different methods?
-Original Message-
From: freeradius-users-bounces+robert_chen=favite
.
When I tried it on wifi it took a second or so more to
authenticate for some reason, so we eventually went with eap-tls
instead because of this and because it was simpler. I did also
get quite a few The EAP message did not complete but that
could be coincidental.
It's been running fine here
On Tue, May 21, 2013 at 03:21:33PM +0800, Robert wrote:
Thank you! The configuration in the link works. The key is setting
fragment_size correctly.
Yes, that was the gotcha.
But I am confused about the two methods :
Is EAP PEAP/TLS = EAP PEAP/EAP-TLS ?
Or they are two different methods
Hi
I use freeradius v2.1.10 in Debian Squeeze 6.0.1.
I want to know if freeradius supports the following methods :
l EAP PEAP/TLS
l EAP PEAP/EAP-TLS
?
The client I use is wpa_supplicant v0.6.9.
Regards,
Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
]
On Behalf Of Robert
Sent: 20 May 2013 09:03
To: freeradius-users@lists.freeradius.org
Subject: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Hi
I use freeradius v2.1.10 in Debian Squeeze 6.0.1.
I want to know if freeradius supports the following methods :
l EAP PEAP/TLS
l EAP
On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote:
It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf – you can
configure all supported options in there.
Not sure you've understood what he's asking there; he wants to know if
you can to PEAP with EAP-TLS as an inner.
The main
On 20/05/13 09:02, Robert wrote:
Hi
I use freeradius v2.1.10 in Debian Squeeze 6.0.1.
I want to know if freeradius supports the following methods :
See here:
http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/
-
List info/subscribe/unsubscribe? See http
Ahhh.
According to this conversation:
http://freeradius.1045715.n5.nabble.com/PEAP-EAP-TLS-with-client-and-server-certificate-td2760634.html
- FR does support PEAP-EAP-TLS :-)
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
On 20/05/13 10:59, stefan.pae...@diamond.ac.uk wrote:
Ahhh.
According to this conversation:
That's a really old conversation. See instead the link I posted in my
other email.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mathieu Simon wrote:
Telling students how to install a internal CA root isn't going to work,
it already
didn't work for teachers in the past ...
Yes. That is a problem.
But allowing only (internal) devices with certs from the internal CA
through CA_file
would allow us to more easily
G'day
As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:
Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR
Mathieu Simon wrote:
Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.
Yes.
Am I guessing correctly that CA_file can contain a different list of CA(s
Hi
Am 11.04.2013 20:08, schrieb Alan DeKok:
snip!
The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a trusted
external CA)
While that works, it's not recommended. It means that the client will
trust *any*
to do something it won't do anything , there's no entry in
clients.conf other than localhost too, so even if you had the required ports
open to the world, nothing is going to happen.
If all you want is EAP-TLS auth then its very easy to minimise to that
configmuch much easier than having
Thomas Hruska wrote:
Nowhere in there does it explain why proxying is on by default. It just
says that it can be turned off. I want to know why it is on by default
in the first place. From what I'm beginning to understand, based on
your reply, FreeRADIUS opens a port that isn't necessary
On 3/24/2013 5:59 AM, Alan DeKok wrote:
Thomas Hruska wrote:
Nowhere in there does it explain why proxying is on by default. It just
says that it can be turned off. I want to know why it is on by default
in the first place. From what I'm beginning to understand, based on
your reply,
Thomas Hruska wrote:
The difference from your response to Arran's response to my questions is
night and day. He was moderately polite while you were and are
downright rude.
As always, my first response is polite and answers your questions. I
only get blunt when people argue with me.
Blah blah. But you don't say what the issue is with the documentation...in fact
your issue was with the default config and your requirements...which are
actually both fully documented in the config. I don't see why you've dropped in
from nowhere, thrown your ego around and then claim to be
I want to set up FreeRADIUS using EAP-TLS only. I'm running Ubuntu
Server 12.04.2 LTS here with the packaged build of FreeRADIUS from the
default Ubuntu/Debian apt-get package repository. I'm finding junk
scattered all over the place for configuring this thing (typical), so my
first
Thomas Hruska wrote:
Since I only want EAP-TLS, output lines like the following bother me
(I've inlined my concerns):
...
Does FreeRADIUS really need to load all of those config files to
function?
No. That's why they config files are editable. So you can edit them.
That is, does
client was the IP
# address of the client. In 2.0, the IP address is configured via
# the ipaddr or ipv6addr fields. For compatibility, the 1.x
# format is still accepted.
#
Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
password - it can expire, but the message
be useful.
The default client secrets(s) should be different from the default proxy
secret(s) to avoid confusion for first-time users.
I missed that it is there for testing. And I see why:
That sentence is ambiguous.
Most of that seems irrelevant to EAP-TLS. A certificate isn't
Hello All,
I have configured a server to test EAP-TLS.
Created the CA, a server and one client certificate.
The same client certificate was then installed on three different devices;
OSX, Windows 7 and an Android 4.2.
All is well, all the devices can authenticate successfully, however, every
On 07/03/13 16:01, Bertalan Voros wrote:
Has anyone seen this before?
I see all kinds of weirdness from clients.
Fundamentally, the problem is at the client - it didn't send a
certificate - so you need to troubleshoot it there.
-
List info/subscribe/unsubscribe? See
Quoting a.l.m.bu...@lboro.ac.uk:
SSL certs can be in various formats. Ones that are 'usable'
depends on the underlying code, but the useful types are
usually PEM, DER (also known as CER) and P12these are
all active certs. CSR is a certificate signing request file
and isn't a valid cert for
Hi,
Eventually, though, it turned out that the most important issue was
with OS X 10.7 (Lion). With this particular version of Apple's OS,
yes, I know. Apple suck for doing this. I manage campus network at
Loughborough university and eduroam federation in the UK
and so am well aware of OSX
easy
information to find).
Moreover, I explained that I was using a WPA2-Enterprise configuration
with Freeradius 2.1.0, EAP-TLS and 4096-bit SHA-1 in my first post in
this thread on Sunday 17 Feb.
Cheers,
Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
code=2 id=0)
- dropping packet
I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.
Yes
Now my question is that , could I continue EAP-TLS authentication
On 19/02/13 14:16, Muhammad Nadeem wrote:
[eap] EAP NAK
[eap] NAK asked for bad type 0
You've mis-configured the client. Go back and look at it again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
) and this type prevent further process.
Yes
Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???
No. Don't set Auth-Type unless you know what you're doing.
Doesn't look like you actually heeded this advice does it? Hint, look at
your select
Muhammad Nadeem wrote:
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
Yes. Read the debug output.
[eap]
On 02/18/2013 06:31 AM, Tobias Hachmer wrote:
Hello Muhammad,
On 18.02.2013 07:17, Muhammad Nadeem wrote:
Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can
Hi,
Thankfully, this isn't correct. You can use eapol_test which comes
with the wpa_supplicant source to test pretty much every EAP type
there is, including EAP-TLS.
To the OP - download wpa_supplicant sources and build eapol_test.
eapol_test is VERY powerful.and there are even little
On 2/18/13, Phil Mayers p.may...@imperial.ac.uk wrote:
On 02/18/2013 06:31 AM, Tobias Hachmer wrote:
Hello Muhammad,
On 18.02.2013 07:17, Muhammad Nadeem wrote:
Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know
On 2/18/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Thankfully, this isn't correct. You can use eapol_test which comes
with the wpa_supplicant source to test pretty much every EAP type
there is, including EAP-TLS.
To the OP - download wpa_supplicant sources and build
Hi,
(but this mailing list isnt a support forum for either of those tools!)
I guess you dont read what I post..which means I'm not likely to answer you.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 18/02/13 10:57, Muhammad Nadeem wrote:
ca_cert=/usr/local/etc/raddb/certs/ca.pem
client_cert=/usr/local/etc/raddb/certs/client.pem
private_kry=/usr/local/etc/raddb/certs/server.key
^^^ typo - should be client.key
This is basic stuff; please read the docs for wpa_supplicant/eapol_test
Hi folks,
My WPA2-Enterprise configuration with Freeradius 2.1.0, EAP-TLS and
4096-bit SHA-1 certificates works great with wpaspplicant on Linux,
but can anyone help me understand how to get this to work for OS X
(Lion) clients?
My Linux client uses a copy of the ca.pem file to establish
Jaap Winius wrote:
Can anyone say what I should be doing differently? E.g. are *.cer
certificates mandatory (if so, how can I make them?), or can I not use
my self-signed certificates?
I'm always use pem or crt files, not *.cer. It works on my Mac.
Alan DeKok.
-
List
Hi,
https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network
In this example, the users are given a personalized *.cer
certificate to add to their keychain. Since I don't have any
client.cer files, I tried this approach with a
Hello Muhammad,
On 18.02.2013 07:17, Muhammad Nadeem wrote:
Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can authenticate the
user using TLS (with digital
On 2/15/13, Stefan Winter stefan.win...@restena.lu wrote:
Hi,
I have configured freeradius to entertain EAP-TLS requests. And i am
using the freeradius certificate (shipped with software). I got stuck
at end, now i don't know how to send EAP-TLS request to server.
I read man radeapclient
Hi,
official website.
But i have a problem, when I want to make eapol_test it give the
follwoing error.
/usr/bin/ld: cannot find -lnl
collect2: ld returned 1 exit status
make: *** [eapol_test] Error 1
Any idea about this error?//
compilation error due to missing libraries.
Hi,
I have configured freeradius to entertain EAP-TLS requests. And i am
using the freeradius certificate (shipped with software). I got stuck
at end, now i don't know how to send EAP-TLS request to server.
I read man radeapclient, but it only support md5. Could you please
tell me how could
, it bypassed users file.
Maybe, i must move these lines under authorize ?
anyone to confirm it ?
cheers
Date: Mon, 4 Feb 2013 10:32:22 -0500
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
vazoumana
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
: Re: [EAP/TLS] Authenfication through a certificate
Date: Fri, 8 Feb 2013 16:20:20 +
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
Dear everybody,
i've got question about EAP/TLS and authentification for a client through a
certificate ?
I succeed setting up. But , i notice that freeradius matches client login with
certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?
Best regards
vazoumana fofana wrote:
i've got question about EAP/TLS and authentification for a client
through a certificate ?
I succeed setting up. But , i notice that freeradius matches client
login with certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?
Yes
...@lists.freeradius.org]
Im Auftrag von PENZ Robert
Gesendet: Dienstag, 11. Dezember 2012 16:30
An: FreeRadius users mailing list
Betreff: AW: AW: AW: EAP-TLS Failed in handler question
Hi!
Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks.
Robert
-
List info/subscribe
I try to set up radius authentication in my WiFi network.
I want to have:
1. one user (samsung phone) should be authenticated with PEAP
2. others should be authenticated with EAP-TLS.
Naive approach is to use Auth-Type but its treated as misuse at
http://deployingradius.com/documents
Kamil Jońca wrote:
I try to set up radius authentication in my WiFi network.
I want to have:
1. one user (samsung phone) should be authenticated with PEAP
2. others should be authenticated with EAP-TLS.
Give user (1) a password. Give each of the other users a client
certificate.
Done
On 12/10/2012 08:00 PM, PENZ Robert wrote:
@PhilMayers: Did you get the Mail with the full logfile? do you need more?
I did, but honestly I prioritise personal help emails lower than ones
to the list, sorry.
I'll see if I have time to look today.
-
List info/subscribe/unsubscribe? See
On 10/12/12 20:00, PENZ Robert wrote:
@PhilMayers: Did you get the Mail with the full logfile? do you need more?
Ok, your NAS is buggy I'm afraid. In some small percentage of cases, it
is not handling the wrapping of EAP id values from 255 to 0.
The following sequence of (redacted) packets
Hi!
Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks.
Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
05, 2012 8:32 AM
To: FreeRadius users mailing list
Subject: AW: AW: AW: EAP-TLS Failed in handler question
There is no other packet between this two and only 5 seconds, server has
not been restarted.
Weird.
But we need the *full* debug please!
some special option or the full log file
]
Im Auftrag von PENZ Robert
Gesendet: Dienstag, 27. November 2012 17:38
An: FreeRadius users mailing list
Betreff: AW: AW: EAP-TLS Failed in handler question
With first packet I meant first packet the radius server saw in some time
... the switch forces a reauthentification every 2h
A re
On 12/04/2012 03:59 PM, PENZ Robert wrote:
There is no other packet between this two and only 5 seconds, server has
not been restarted.
Weird.
But we need the *full* debug please!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
There is no other packet between this two and only 5 seconds, server has
not been restarted.
Weird.
But we need the *full* debug please!
some special option or the full log file? The second I send you in a private
mail.
Robert
-
List info/subscribe/unsubscribe? See
.
ok ... will try to get one .. is not easy ...
but reject means the switch sets the port to the guest vlan, and therefor
the PC loses the connections ... is there a way to request a new full
eap/tls handshake from the client?
You're not understanding, or I'm not making myself clear
:
On 11/23/2012 08:03 AM, Uros Kolar wrote:
Hi all!
We've been using freeradius 2.1.12 with EAP-TLS authentication. The
problem we experience is constant disconnects of the clients. After an
some time (it seems like the intervals are random) of usage the
connection drops. I don't have a debug
Hi,
The results are really interesting and not expected.
how long does the process take? what are your NAS timers and FreeRADIUS timers?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I've interrupted the test after the described process was allready going on
for 2 min.
Don't know exactly what timers you mean. I checked time setings on servers.
NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to GMT.
Please correct me if that's not what you meant.
On Mon,
Hi,
I've interrupted the test after the described process was allready going
on for 2 min.
Don't know exactly what timers you mean. I checked time setings on
servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to
GMT. Please correct me if that's not what
Thanks for the additional info on timers.
Here are the values, hope i didn't leave out something. Basically we left
them set to default.
timer expire for eap is 60
cleanup delay is se to 5
reject delay to 1
max request time is 30
uros
On Mon, Nov 26, 2012 at 12:14 PM, alan buxey
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.
The client is broken. It's not doing SSL correctly.
Do we require different certificates for arm boards,
Ok so this says:
02 - eap response
ff - eap ID 255 - bit odd..
0069 - length in hex
0d - eap type 13 (EAP-TLS)
80 - eap TLS flags = length included
005f - tls length
160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0)
005a - record length
01 - handshake=client hello
capture to be
sure.
but reject means the switch sets the port to the guest vlan, and therefor the
PC loses the connections ... is there a way to request a new full eap/tls
handshake from the client?
You're not understanding, or I'm not making myself clear.
Suggestion: fire up wireshark
{...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Swaraj wrote:
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.
The client is broken. It's not doing SSL correctly.
Do we require different certificates
On 20/11/12 13:26, Alan DeKok wrote:
Swaraj wrote:
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.
The client is broken. It's not doing SSL correctly.
On 20/11/12 12:38, Swaraj wrote:
Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
That's very odd. It looks like a problem with OpenSSL - maybe
endian-ness or something?
I created certificates with the
Hi!
I've 802.1x (EAP-TLS) on a wired network activated, and it works 99% of the
time ... just some authentications fail, but some minutes later the same client
authenticates without a problem. As it happens only once every few days and
always with a new client I cannot put a sniffer between
= 0x02ff00690d80005f160301005a01
Ok so this says:
02 - eap response
ff - eap ID 255 - bit odd..
0069 - length in hex
0d - eap type 13 (EAP-TLS)
80 - eap TLS flags = length included
005f - tls length
160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0)
005a - record length
01 - handshake=client
Hey there,
I’ve setup a freeradius Server and am using EAP-TLS, and would need some help
from you.
The users file contains the username and the password beeing allowed to connect
after TLS Connection has been established, and this is working on an android
phone with no problems so far.
One
On 11/07/2012 08:33 AM, sierramailp...@gmx.de wrote:
Hey there,
I’ve setup a freeradius Server and am using EAP-TLS, and would need
some help from you.
The users file contains the username and the password beeing allowed
to connect after TLS Connection has been established, and this is
working
Hi Alan,
Alan DeKok schrieb:
Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
This is exactly what I want to do! Change the loginname, the clients
sends to the Authenticater. It's a Windows 802.1x
Hi Phil,
Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com
2. On LAN, then send... something else?
Are you sure? We don't see that.
Exactly. On wifi they send
hostname
on LAN they send:
host/hostname
hostname
On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote:
Hi Alan,
Alan DeKok schrieb:
Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
This is exactly what I want to do! Change the loginname, the clients
Hi,
Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com
2. On LAN, then send... something else?
Are you sure? We don't see that.
i agree
Exactly. On wifi they send
hostname
on LAN they send:
On 10/12/2012 09:59 AM, Alexandros Gougousoudis wrote:
Hi Phil,
Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com
2. On LAN, then send... something else?
Are you sure? We don't see that.
Exactly. On wifi they
on a NT4-Sambadomain and are not using a AD? Since XP SP3 we establish a
machine-auth via exporting, textediting and importing the profile-xml of
the specific LAN-interface, we're authenticating using EAP-TLS, CN of
the cert is the hostname. Machine-auth via WLAN is done by a
registry-change. Ok
The behavior _is_ configurable, but as you have observed for your
particular network, the default is not to attempt machine auth. It
is configurable on a per-network connection basis, I'm getting fuzzy
on if it's adapter or SSID based.
If the OP is observing such behavior, he needs to
Hi David,
David Mitton schrieb:
If the OP is observing such behavior, he needs to figure out why (what
turned it on, is it consistent or the same for all users) and work
with that.
It is consistent for all machines in the network. To figure out why this
happend, is exactly what I want to
On 12/10/12 13:48, David Mitton wrote:
The behavior _is_ configurable, but as you have observed for your
particular network, the default is not to attempt machine auth. It is
configurable on a per-network connection basis, I'm getting fuzzy on if
it's adapter or SSID based.
No, you've
On 12/10/12 13:59, Alexandros Gougousoudis wrote:
Hi David,
David Mitton schrieb:
If the OP is observing such behavior, he needs to figure out why (what
turned it on, is it consistent or the same for all users) and work
with that.
It is consistent for all machines in the network. To figure
Phil Mayers schrieb:
Is it possible your wireless networking equipment is mangling the
hostnames? Which vendor are you using?
Mhh, I can check that again, it's an old Linksys-AP. I'll see if that
happens also with the other more professional hardware we have.
Have you verified that you really
Hi,
we're using FR 2.0 for our machine authentication for XP to Win7 with
EAP-TLS. Everything is working so far, but I noticed a difference
between authenticating via WLAN and LAN, which starts to be a problem
for us now. If I make a auth via LAN the provided username ist
hostname, if I do
Alexandros Gougousoudis wrote:
we're using FR 2.0 for our machine authentication for XP to Win7 with
EAP-TLS. Everything is working so far, but I noticed a difference
between authenticating via WLAN and LAN, which starts to be a problem
for us now. If I make a auth via LAN the provided
Hi Alan,
thanks for your reply!
Alan DeKok schrieb:
host/ as a realm for our Radsecproxy, I'd like to change the
behauviour for the authentication via LAN and add a string to the
hostname
Don't. You will break EAP.
That's not clear. Why would that break EAP if the workstations
1 - 100 of 1808 matches
Mail list logo
