Hi Alan, I have added 123 entries in client.conf but only top 2 entries are working remaining not. Regards Aditya Vijjan On Mon, Mar 25, 2019 at 3:01 PM < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Clients.conf (Alan DeKok) 2. Logging config to get certificate details (Jim Potter) 3. Re: Logging config to get certificate details (Alan DeKok) 4. Re: Logging config to get certificate details (Jim Potter) 5. Re: Logging config to get certificate details (Alan DeKok) 6. Re: Logging config to get certificate details (Jim Potter) 7. Re: Logging config to get certificate details (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Mon, 25 Mar 2019 04:15:14 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Clients.conf Message-ID: <87DB7382-35DD-4649-AE92-D7AF30897DFE@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Mar 25, 2019, at 3:25 AM, Aditya Vijjan <aditya.vijjan@gmail.com> wrote:
I have different clients using diff IP and secret, i have allowed in clients.conf but only top 2 entries are allowed and remaining not
working,
That's now how the server works.
If you add clients to clients.conf, they are added, and they work.
Perhaps you could give a more detailed explanation.
Alan DeKok.
------------------------------
Message: 2 Date: Mon, 25 Mar 2019 08:53:31 +0000 From: Jim Potter <j.potter@bathspa.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Logging config to get certificate details Message-ID: < CAF_FbKP7hCijAeD4TXfiPUoTkvUGzao7pXLTztLRJyWf5U5m-A@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hi all,
We have a PEAP eduroam setup here, and I have a suspicion that not all our users are using/validating the server certificate - I know we can set the clients up to not use certificates and they can still connect fine. (I'm not completely clear on the PEAP process and whether the clients are still using the server cert but aren't validating it, or whether no cert is used at all in this case).
So what I'd like to find out is if I can set the server logging up to find out about the certificates used by each client - whether a cert is being requested, and if so, whether the certificate is being validated by the clients. I know this is primarily a client issue, but I'm looking for signs of this from the server so I can see how widespread this is. I've tried auth_goodpass/auth_badpass (no luck), I'm not sure where next to look on this - does anyone have any advice?
thanks (again) in advance
Jim Potter
------------------------------
Message: 3 Date: Mon, 25 Mar 2019 04:55:35 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Logging config to get certificate details Message-ID: <85A9DD14-A179-4182-8912-39B94DA0FC05@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Mar 25, 2019, at 4:53 AM, Jim Potter <j.potter@bathspa.ac.uk> wrote:
We have a PEAP eduroam setup here, and I have a suspicion that not all
our
users are using/validating the server certificate - I know we can set the clients up to not use certificates and they can still connect fine. (I'm not completely clear on the PEAP process and whether the clients are still using the server cert but aren't validating it, or whether no cert is used at all in this case).
You can't tell what the client is doing.
The server sends the certs to the client, and the client either validates them, or ignores them. It doesn't tell the server what it's doing.
So what I'd like to find out is if I can set the server logging up to find out about the certificates used by each client - whether a cert is being requested, and if so, whether the certificate is being validated by the clients. I know this is primarily a client issue, but I'm looking for signs of this from the server so I can see how widespread this is. I've tried auth_goodpass/auth_badpass (no luck), I'm not sure where next to look on this - does anyone have any advice?
This information is available only on the client. The client doesn't tell anyone else what it's doing.
Alan DeKok.
------------------------------
Message: 4 Date: Mon, 25 Mar 2019 09:06:39 +0000 From: Jim Potter <j.potter@bathspa.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Logging config to get certificate details Message-ID: <CAF_FbKM2C2bb1LVdw+yuqHeEktXcnAUNA5rTHa9f+vJoaT35= w@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hi Alan,
Thanks for the quick reply!
So doesn't the client return a PEAP request containing the MSCHAPv2 request encrypted using the server certificate? My hope was that if a client device wasn't using a cert at all, I could see the format of the reply or something similar... but then if the clients are using whatever cert is sent out, but not validating it, that wouldn't show up.
OK, so, plan B - if I set up a rogue access point (FreeRadius WPE or similar with a self signed certificate), I could see who connects regardless of the dubious cert, then chase them up. Would that work?
thanks again,
Jim
On Mon, 25 Mar 2019 at 08:55, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 25, 2019, at 4:53 AM, Jim Potter <j.potter@bathspa.ac.uk> wrote:
We have a PEAP eduroam setup here, and I have a suspicion that not all
our
users are using/validating the server certificate - I know we can set the clients up to not use certificates and they can still connect fine. (I'm not completely clear on the PEAP process and whether the clients are still using the server cert but aren't validating it, or whether no cert is used at all in this case).
You can't tell what the client is doing.
The server sends the certs to the client, and the client either validates them, or ignores them. It doesn't tell the server what it's doing.
So what I'd like to find out is if I can set the server logging up to find out about the certificates used by each client - whether a cert is being requested, and if so, whether the certificate is being validated by the clients. I know this is primarily a client issue, but I'm looking for signs of this from the server so I can see how widespread this is. I've tried auth_goodpass/auth_badpass (no luck), I'm not sure where next to look on this - does anyone have any advice?
This information is available only on the client. The client doesn't tell anyone else what it's doing.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- thanks,
Jim Potter User Platform Engineer IT Services Bath Spa University
T: 01225 876220 Visit www.bathspa.ac.uk Join us on: Facebook <http://www.facebook.com/bath.spa.university>| Twitter <https://twitter.com/#!/BathSpaUni>| YouTube <http://www.youtube.com/BathSpaUniversity>| LinkedIn <http://www.linkedin.com/company/bath-spa-university> Newton Park, Bath, BA2 9BN
Think before you print
Disclaimer If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed in personal emails are solely those of the author and do not necessarily represent those of Bath Spa University. Neither Bath Spa University nor the sender accepts any responsibility for viruses and it is your responsibility to scan this email and any attachments for viruses.
------------------------------
Message: 5 Date: Mon, 25 Mar 2019 05:15:12 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Logging config to get certificate details Message-ID: <B733798B-02B6-4901-9B5D-B4B704FB070F@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Mar 25, 2019, at 5:06 AM, Jim Potter <j.potter@bathspa.ac.uk> wrote:
So doesn't the client return a PEAP request containing the MSCHAPv2 request encrypted using the server certificate?
No.
PEAP essentially sets up a TLS connection between the two endpoints. It then sends MS-CHAPv2 data inside of the TLS tunnel.
The MS-CHAPv2 is protected via the TLS protocol. It is *not* "encrypted using the server certificate".
My hope was that if a client device wasn't using a cert at all,
The client device gets the server cert sent to it by the server, as part of the TLS exchange. The client device is free to *ignore* this server certificate.
I could see the format of the reply or something similar... but then if the clients are using whatever cert is sent out, but not validating it, that wouldn't show up.
Yes.
OK, so, plan B - if I set up a rogue access point (FreeRadius WPE or similar with a self signed certificate), I could see who connects regardless of the dubious cert, then chase them up. Would that work?
People will connect if they configure it manually. Which most won't.
There really isn't any point in doing this. You won't get any useful information from it.
Alan DeKok.
------------------------------
Message: 6 Date: Mon, 25 Mar 2019 09:29:19 +0000 From: Jim Potter <j.potter@bathspa.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Logging config to get certificate details Message-ID: <CAF_FbKOAy-m61kMhFdm+wcdh4fy_1QqC= vx+MprzN6veYMh4iQ@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hi Alan,
OK, thanks for the advice here. Historically, everyone has set up their devices manually, and I have a suspicion that some have been told to ignore the certificate, so if I do set up a rogue access point, this WILL catch anyone with this configured, correct?
cheers,
Jim
On Mon, 25 Mar 2019 at 09:15, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 25, 2019, at 5:06 AM, Jim Potter <j.potter@bathspa.ac.uk> wrote:
So doesn't the client return a PEAP request containing the MSCHAPv2 request encrypted using the server certificate?
No.
PEAP essentially sets up a TLS connection between the two endpoints. It then sends MS-CHAPv2 data inside of the TLS tunnel.
The MS-CHAPv2 is protected via the TLS protocol. It is *not* "encrypted using the server certificate".
My hope was that if a client device wasn't using a cert at all,
The client device gets the server cert sent to it by the server, as part of the TLS exchange. The client device is free to *ignore* this server certificate.
I could see the format of the reply or something similar... but then if the clients are using whatever cert is sent out, but not validating it, that wouldn't show up.
Yes.
OK, so, plan B - if I set up a rogue access point (FreeRadius WPE or similar with a self signed certificate), I could see who connects regardless of the dubious cert, then chase them up. Would that work?
People will connect if they configure it manually. Which most won't.
There really isn't any point in doing this. You won't get any useful information from it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- thanks,
Jim Potter User Platform Engineer IT Services Bath Spa University
T: 01225 876220 Visit www.bathspa.ac.uk Join us on: Facebook <http://www.facebook.com/bath.spa.university>| Twitter <https://twitter.com/#!/BathSpaUni>| YouTube <http://www.youtube.com/BathSpaUniversity>| LinkedIn <http://www.linkedin.com/company/bath-spa-university> Newton Park, Bath, BA2 9BN
Think before you print
Disclaimer If you have received this message in error, please notify us and remove it from your system. Any views or opinions expressed in personal emails are solely those of the author and do not necessarily represent those of Bath Spa University. Neither Bath Spa University nor the sender accepts any responsibility for viruses and it is your responsibility to scan this email and any attachments for viruses.
------------------------------
Message: 7 Date: Mon, 25 Mar 2019 05:31:46 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Logging config to get certificate details Message-ID: <E9025034-9BFF-4DD3-9F65-4AAA3BFAFEA4@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Mar 25, 2019, at 5:29 AM, Jim Potter <j.potter@bathspa.ac.uk> wrote:
OK, thanks for the advice here. Historically, everyone has set up their devices manually, and I have a suspicion that some have been told to
ignore
the certificate, so if I do set up a rogue access point, this WILL catch anyone with this configured, correct?
Maybe.
Alan DeKok.
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 167, Issue 65 *************************************************
-- Thanks & Regards Aditya Vijjan