<div dir="ltr">Thank you very much.<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Tzvika Gelber wrote:<br>
> I created a new user with the MAC address of the client as the user and<br>
> password :<br>
...<br>
> 00C0CA32A157 Cleartext-Password := "00C0CA32A157"<br>
...<br>
> User-Name = "00c0ca32a157"<br>
> User-Password = "00c0ca32a157"<br>
<br>
You do realize that they are different, right?<br>
<br>
The comparisons in the users file are case-sensitive.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Sun, 9 Dec 2012 09:38:03 -0600<br>
From: Dan Letkeman <<a href="mailto:danletkeman@gmail.com">danletkeman@gmail.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: computer authentication<br>
Message-ID:<br>
<CAPY==<a href="mailto:jnnw7fUHHpB1FvqPqMu8gQtuFERP_9WMWv__n7sVQec0w@mail.gmail.com">jnnw7fUHHpB1FvqPqMu8gQtuFERP_9WMWv__n7sVQec0w@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Thank you Matthew for the clarification I could successfully get the<br>
windows 7 client to try and make a request (you defiantly need to have the<br>
certs imported into exactly the correct spots). But now my debug log says<br>
that its failing. This is a default 2.1.12 install with the switch added<br>
to the clients.conf file.<br>
<br>
<br>
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=204,<br>
length=180<br>
User-Name = "host/<a href="mailto:user@example.com">user@example.com</a>"<br>
Service-Type = Framed-User<br>
Framed-MTU = 1500<br>
Called-Station-Id = "9C-AF-CA-F4-40-10"<br>
Calling-Station-Id = "64-31-50-7D-72-DE"<br>
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d<br>
Message-Authenticator = 0x41f4a411366a244a23e887c859436d0b<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50016<br>
NAS-Port-Id = "GigabitEthernet0/16"<br>
NAS-IP-Address = 10.11.200.73<br>
# Executing section authorize from file /etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] Looking up realm "<a href="http://example.com" target="_blank">example.com</a>" for User-Name = "host/<br>
<a href="mailto:user@example.com">user@example.com</a>"<br>
[suffix] Found realm "<a href="http://example.com" target="_blank">example.com</a>"<br>
[suffix] Adding Stripped-User-Name = "host/user"<br>
[suffix] Adding Realm = "<a href="http://example.com" target="_blank">example.com</a>"<br>
[suffix] Proxying request from user host/user to realm <a href="http://example.com" target="_blank">example.com</a><br>
[suffix] Preparing to proxy authentication request to realm "<a href="http://example.com" target="_blank">example.com</a>"<br>
++[suffix] returns updated<br>
[eap] Request is supposed to be proxied to Realm <a href="http://example.com" target="_blank">example.com</a>. Not doing<br>
EAP.<br>
++[eap] returns noop<br>
++[files] returns noop<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
++[pap] returns noop<br>
WARNING: Empty pre-proxy section. Using default return values.<br>
Sending Access-Request of id 231 to 127.0.0.1 port 1812<br>
User-Name = "host/user"<br>
Service-Type = Framed-User<br>
Framed-MTU = 1500<br>
Called-Station-Id = "9C-AF-CA-F4-40-10"<br>
Calling-Station-Id = "64-31-50-7D-72-DE"<br>
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50016<br>
NAS-Port-Id = "GigabitEthernet0/16"<br>
NAS-IP-Address = 10.11.200.73<br>
Proxy-State = 0x323034<br>
Proxying request 0 to home server 127.0.0.1 port 1812<br>
Sending Access-Request of id 231 to 127.0.0.1 port 1812<br>
User-Name = "host/user"<br>
Service-Type = Framed-User<br>
Framed-MTU = 1500<br>
Called-Station-Id = "9C-AF-CA-F4-40-10"<br>
Calling-Station-Id = "64-31-50-7D-72-DE"<br>
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50016<br>
NAS-Port-Id = "GigabitEthernet0/16"<br>
NAS-IP-Address = 10.11.200.73<br>
Proxy-State = 0x323034<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=231,<br>
length=171<br>
User-Name = "host/user"<br>
Service-Type = Framed-User<br>
Framed-MTU = 1500<br>
Called-Station-Id = "9C-AF-CA-F4-40-10"<br>
Calling-Station-Id = "64-31-50-7D-72-DE"<br>
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d<br>
Message-Authenticator = 0x0d22b2b1d5102149a8c1c731bc6613dd<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50016<br>
NAS-Port-Id = "GigabitEthernet0/16"<br>
NAS-IP-Address = 10.11.200.73<br>
Proxy-State = 0x323034<br>
# Executing section authorize from file /etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "host/user", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 1 length 26<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>
++[files] returns noop<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication<br>
may fail because of this.<br>
++[pap] returns noop<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Identity does not match User-Name, setting from EAP Identity.<br>
[eap] Failed in handler<br>
++[eap] returns invalid<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> host/user<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 1 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 1<br>
Sending Access-Reject of id 231 to 127.0.0.1 port 1814<br>
Proxy-State = 0x323034<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=231,<br>
length=25<br>
Proxy-State = 0x323034<br>
# Executing section post-proxy from file /etc/raddb/sites-enabled/default<br>
+- entering group post-proxy {...}<br>
[eap] No pre-existing handler found<br>
++[eap] returns noop<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> host/<br>
<a href="mailto:user@example.com">user@example.com</a><br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Sending Access-Reject of id 204 to 10.11.200.73 port 1645<br>
Finished request 0.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 1 ID 231 with timestamp +14<br>
Cleaning up request 0 ID 204 with timestamp +14<br>
Ready to process requests.<br>
<br>
<br>
<br>
On Fri, Dec 7, 2012 at 2:23 PM, Matthew Newton <<a href="mailto:mcn4@leicester.ac.uk">mcn4@leicester.ac.uk</a>> wrote:<br>
<br>
> On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote:<br>
> > Sorry, I was not clean with my setup information. We do not have a<br>
> domain,<br>
> > these are stand alone windows 7 devices. We also have some tablets and<br>
> > some linux boxes. Concern right now is the Windows 7 devices. I didn't<br>
> > know that you cannot do machine authentication without a domain....<br>
><br>
> You can, but you'll need to handle the certificates on the hosts<br>
> manually. That's usually such a pain that the only real solution<br>
> is to use AD. If you've got a small number of devices, or can<br>
> write some other automated method of deploying certs, then it can<br>
> be possible to handle.<br>
><br>
> What you /can't/ do is both User auth (mschap - username +<br>
> password) *and* Computer auth (certificates - EAP-TLS) in the same<br>
> connection, as the default Windows supplicant, like most, doesn't<br>
> support client certificates with PEAP (and user auth - mschap -<br>
> needs to be inside PEAP).<br>
><br>
> > User authentication in my environment is just not an option because all<br>
> of<br>
> > the devices need to have a connection to the network at all times even if<br>
> > nobody is logged in. Should I be using PEAP/EAP-TLS instead?<br>
><br>
> There are no good reasons for doing PEAP/EAP-TLS unless you want<br>
> to use SoH. PEAP adds overhead to the auth, with no added benefit.<br>
><br>
> > If so do you know of any good setup documentation for that?<br>
><br>
> I wrote up how to do PEAP/EAP-TLS a while back - you can find it<br>
> here: <a href="http://q.asd.me.uk/pet" target="_blank">http://q.asd.me.uk/pet</a><br>
><br>
> That said - your connection is trying to do PEAP, so you've<br>
> configured your client for either 'certifiates' or mschap inside<br>
> PEAP. I forget the exact options in the interface, but you need to<br>
> choose 'certificates' rather than 'PEAP', then select the client<br>
> certificate that you want to auth with - which will be one that is<br>
> signed by the same CA that the CA_file option in your FreeRADIUS<br>
> eap.conf file points to. Make sure it's set to 'Computer' auth,<br>
> not 'User' or 'User + Computer'.<br>
><br>
> In theory, you'll then find that it Just Works. But the Windows<br>
> config interface takes a bit of head scratching to get around<br>
> until you understand what it's doing under the hood.<br>
><br>
> Cheers<br>
><br>
> Matthew<br>
><br>
><br>
> --<br>
> Matthew Newton, Ph.D. <<a href="mailto:mcn4@le.ac.uk">mcn4@le.ac.uk</a>><br>
><br>
> Systems Architect (UNIX and Networks), Network Services,<br>
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom<br>
><br>
> For IT help contact helpdesk extn. 2253, <<a href="mailto:ithelp@le.ac.uk">ithelp@le.ac.uk</a>><br>
> -<br>
> List info/subscribe/unsubscribe? See<br>
> <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121209/7f5912b8/attachment.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121209/7f5912b8/attachment.html</a>><br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
End of Freeradius-Users Digest, Vol 92, Issue 21<br>
************************************************<br>
</blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">____<div>Sometimes you just glow in the dark...</div></div><br>
</div>