Dear FreeRADIUS users, Firstly, I am attempting to get XP/OSX clients to connect to a 802.1x WLAN provided by a cisco wlan controller. This is currently backed by ACS and works, but i'd like to use FreeRADIUS is possible, with half my users in LDAP and half in MySQL. The setup uses PEAP, however am I correct in thinking that the RADIUS server never touches any TLS components. The TLS tunnel is between the WLAN controller and the client right? Furthermore, I know I cannot use ldap authentication (binding) as a result of the eap conversation, however can I store an NT-Hash in LDAP/MySQL for the mschapv2 module to pick up and use? I'd prefer not to store clear text at all if possible... I have everything I need compiled and installed, but I'd like to know whether or not I can achieve my goal before wasting a lot of my time. Any pointers are thus greatly appreciated. thanks Rob -- Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ rob@techniumcast.com | 01248 675024 | 07776 210516
Firstly, I am attempting to get XP/OSX clients to connect to a 802.1x WLAN provided by a cisco wlan controller. This is currently backed by ACS and works, but i'd like to use FreeRADIUS is possible, with half my users in LDAP and half in MySQL.
The setup uses PEAP, however am I correct in thinking that the RADIUS server never touches any TLS components. The TLS tunnel is between the WLAN controller and the client right?
Nope, the TLS tunnel starts at the client and ends at the Radius server: that's why the radius server needs a certificate (see the eap.conf file) and the client needs to check the radius server's certificate.
Furthermore, I know I cannot use ldap authentication (binding) as a result of the eap conversation,
True because PEAP implies a ms-chapv2 exchange that requires the knowledge of the NT-Hash (ldap used as an authorization backend and not an authentication module)
however can I store an NT-Hash in LDAP/MySQL for the mschapv2 module to pick up and use? I'd prefer not to store clear text at all if possible...
Yes for Ldap (see ldapattr.map) that maps the radius internal attribute NT-Password to sambaNTPassword by default.
I have everything I need compiled and installed, but I'd like to know whether or not I can achieve my goal before wasting a lot of my time. Any pointers are thus greatly appreciated.
see doc/rlm_ldap ldapattr.map configuration file and the ldap section of radiusd.conf HTH, Thibault
Rob Shepherd wrote:
The setup uses PEAP, however am I correct in thinking that the RADIUS server never touches any TLS components. The TLS tunnel is between the WLAN controller and the client right?
PEAP - Protected EAP - the protection is the TLS tunnel which is between the RADIUS client and RADIUS server.
Hi; I need ur help on this issue please. I have configured two pools of IPs in the radiusd.conf, but when I add the pool's name in the post-auth section, the daemon would not start. While debugging, I've got this message: Rlm_ippool: Failed to open file /etc/raddb/db.ippool/db.ippool: permission denied Radiusd.conf [1482]: main_pool : Module instantation failed. Any help would be appreciated Thanks Elie
Elie Hani wrote:
Rlm_ippool: Failed to open file /etc/raddb/db.ippool/db.ippool: permission denied
Hi Elie, What does ls -l /etc/raddb/db.ippool/db.ippool say? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
Hi James; The folder db.ippool does not exist in /etc/raddb. And I can't locate it using the " locate db.ippool" in the root directory. Thanks -----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of James Wakefield Sent: Saturday, August 19, 2006 10:32 AM To: FreeRadius users mailing list Subject: Re: help on this issue Elie Hani wrote:
Rlm_ippool: Failed to open file /etc/raddb/db.ippool/db.ippool: permission denied
Hi Elie, What does ls -l /etc/raddb/db.ippool/db.ippool say? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Elie Hani wrote:
Hi James;
The folder db.ippool does not exist in /etc/raddb. And I can't locate it using the " locate db.ippool" in the root directory.
Thanks
Can you post your radiusd.conf? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
This is the radiusd.conf file, and the clients file. Thanks guys for ur help. Elie -----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of James Wakefield Sent: Saturday, August 19, 2006 11:22 AM To: FreeRadius users mailing list Subject: Re: help on this issue Elie Hani wrote:
Hi James;
The folder db.ippool does not exist in /etc/raddb. And I can't locate it using the " locate db.ippool" in the root directory.
Thanks
Can you post your radiusd.conf? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Elie Hani" <ehani@wise.net.lb> wrote:
While debugging, I've got this message:
Rlm_ippool: Failed to open file /etc/raddb/db.ippool/db.ippool: permission denied
It looks like you have one extra "db.ippool" name in the ippool configuration. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi Alan; Well I want to thank u for this idea, even if it was not the solution, but it guided me to the solutions. The solution was as follows: The db.ippool didn't have enough permission to be created, so I've created it myself (touch db.ippool) Then I have changed the permission: chmod 777 db.ippool But after finishing the test, we should change the permissions for security reasons, and it depends on the groups and the users. And now it is working great. Thanks again guys. -----Original Message----- From: freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org [mailto:freeradius-users-bounces+ehani=wise.net.lb@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, August 19, 2006 5:21 PM To: FreeRadius users mailing list Subject: Re: help on this issue "Elie Hani" <ehani@wise.net.lb> wrote:
While debugging, I've got this message:
Rlm_ippool: Failed to open file /etc/raddb/db.ippool/db.ippool: permission denied
It looks like you have one extra "db.ippool" name in the ippool configuration. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 8/18/2006 03:42 PM, Michael Lecuyer wrote:
Rob Shepherd wrote:
The setup uses PEAP, however am I correct in thinking that the RADIUS server never touches any TLS components. The TLS tunnel is between the WLAN controller and the client right?
PEAP - Protected EAP - the protection is the TLS tunnel which is between the RADIUS client and RADIUS server.
ummm... No. The PEAP tunnel is from the EAP Peer (client or wifi supplicant) to the EAP Server (which is typically connected to or part of the RADIUS server). The Access Point is the RADIUS client. No RADIUS goes over the radio. But the PEAP protects the EAP authentication in the air. That said, most RADIUS server implementations call a TLS module or service to deal with it, as it not really part of RADIUS proper. EAP like other forms of authentication isn't always resolved by the RADIUS server, it just gets the answer and communicates it. Dave.
participants (7)
-
Alan DeKok -
David Mitton -
Elie Hani -
James Wakefield -
Michael Lecuyer -
Rob Shepherd -
Thibault Le Meur