Hi, I've got a couple of Wi-Fi APs that support "802.1X" (3Com 7760), so I want to configure them to authorize client connections based on user information stored in an LDAP server (Fedora Directory Server, all users already have "samba" type password hashes). My first question for the list, to which I haven't been able to find a clear answer ever is : What EAP sub-types are the ones I should configure? My requirements : * Be able to have many different types of clients supported (Windows XP, GNU/Linux wpa_supplicant/NM, mobile devices etc.). * Not to have to bother about a local CA or any type of PKI (i.e. not generate certificates for all users, just have them user their login/pass). I used to have a working EAP-PEAP setup, with MSCHAPv2 IIRC, the current LDAP server and a Linksys AP. Unfortunately that setup is no more and I need to reconfigure one from scratch. Should I go with EAP-PEAP? Is that the "PEAPv0/EAP-MSCHAPv2" from the wiki? I also store md5 passwords in my LDAP server, is there any other simpler way to configure access using those instead of the LM/NT passwords? (my understanding is that... nope) Sorry for all of these possibly silly questions, it's just that the more docs I read to try and implement what I need, the more I feel lost (which isn't a very good sign). TIA for any help, Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora release 9 (Sulphur) - Linux kernel 2.6.26.5-45.fc9.x86_64 Load : 0.57 0.52 0.60
My first question for the list, to which I haven't been able to find a clear answer ever is : What EAP sub-types are the ones I should configure?
Nothing. Just don't touch anything in eap.conf and all supported eap types will work. If you generate certificates with scripts provided you don't even need to touch the tls section.
My requirements : * Be able to have many different types of clients supported (Windows XP, GNU/Linux wpa_supplicant/NM, mobile devices etc.). * Not to have to bother about a local CA or any type of PKI (i.e. not generate certificates for all users, just have them user their login/pass).
PEAP should be the protocol most clients will use.
Should I go with EAP-PEAP? Is that the "PEAPv0/EAP-MSCHAPv2" from the wiki?
Yes.
I also store md5 passwords in my LDAP server, is there any other simpler way to configure access using those instead of the LM/NT passwords? (my understanding is that... nope)
Correct. You can't use md5 passwords with mschap. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote :
My requirements : * Be able to have many different types of clients supported (Windows XP, GNU/Linux wpa_supplicant/NM, mobile devices etc.). * Not to have to bother about a local CA or any type of PKI (i.e. not generate certificates for all users, just have them user their login/pass).
PEAP should be the protocol most clients will use.
Should I go with EAP-PEAP? Is that the "PEAPv0/EAP-MSCHAPv2" from the wiki?
Yes.
Then I'm still completely lost. I've spent the whole day trying to get my mobile phone to connect to the Wi-Fi using EAP-TLS and EAP-PEAP with MSCHAPv2 in the PEAP configuration part. The radiusd debug output isn't really clear to me, and I'm still not sure where my problem is : * Is my Wi-Fi AP working okay? I guess since it's meant to be "dumb"... * Is my mobile phone configured okay? I don't know. * Is my radiusd configured okay? I don't know. * Is my LDAP client access configured okay? I don't know. * Are my SSL certificates configured okay? I don't know. * Am I even trying to right EAP modules/combination/auth? I don't know. Pretty tough, eh? :-) I'll be digging some more, but I do have three quick questions : 1) The only output I manage to get related to TLS is the following, is it normal or does it denote an error? [tls] Initiate [tls] Start returned 1 2) I keep getting this warning about LDAP passwords, but it seems like radiusd did manage to get the two useful hashes, should I worry or is the message harmless? [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x394133304 [...] rlm_ldap: sambaLmPassword -> LM-Password == 0x433042322 [...] [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user matthias authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok 3) What is it I should be configuring exactly on my mobile phone? Is EAP-TLS and EAP-PEAP with EAP-MSCHAPv2 something that should be working or am I on the wrong track? Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora release 9 (Sulphur) - Linux kernel 2.6.26.5-45.fc9.x86_64 Load : 0.19 0.14 0.14
Matthias Saou wrote :
1) The only output I manage to get related to TLS is the following, is it normal or does it denote an error?
[tls] Initiate [tls] Start returned 1
Replying to myself here, but I'm completely stuck and really suspect this to the be problem. Am I right assuming this? Attached is the output from "radiusd -X". What I think is happening : * The authorization is working, the "matthias" LDAP user is found. * The authentication is failing right after it tries to start TLS as part of the PEAP + MSCHAPv2 process. This is with a certificate I've signed with my local CA, making sure it contains the extendedKeyUsage as explained in certs/README, but the same was happening with the default files created by "bootstrap". I'm just really confused by now :-) Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora release 9 (Sulphur) - Linux kernel 2.6.26.5-45.fc9.x86_64 Load : 0.39 0.50 0.43
Matthias Saou wrote:
Replying to myself here, but I'm completely stuck and really suspect this to the be problem. Am I right assuming this? Attached is the output from "radiusd -X". What I think is happening :
Follow the instructions on my web site (deployingradius.com) for doing PEAP. Testing with a real device is one of the last things you want to do.
* The authorization is working, the "matthias" LDAP user is found. * The authentication is failing right after it tries to start TLS as part of the PEAP + MSCHAPv2 process.
This is interesting: rad_recv: Access-Request packet from host 192.168.1.112 port 1094, id=1, length=194 Sending duplicate reply to client AP3 port 1094 - ID: 1 It means that the NAS isn't receiving the response from the server, and is re-sending the request. Alan DeKok.
* Not to have to bother about a local CA or any type of PKI (i.e. not generate certificates for all users, just have them user their login/pass).
But if you are using a self-signed CA you need to import that CA to the user device. For Windows into Trusted Root Certificate store. You don't need client certificates and PKI but you need the CA.
* Is my Wi-Fi AP working okay? I guess since it's meant to be "dumb"...
Yes, they are ment to be dumb.
* Is my mobile phone configured okay? I don't know.
No idea.
* Is my radiusd configured okay? I don't know.
Yes.
* Is my LDAP client access configured okay? I don't know.
Yes.
* Are my SSL certificates configured okay? I don't know.
Yes.
* Am I even trying to right EAP modules/combination/auth? I don't know.
Yes.
1) The only output I manage to get related to TLS is the following, is it normal or does it denote an error?
[tls] Initiate [tls] Start returned 1
See above about importing CA certificate. I have no idea if you can set a mobile device to "trust all server certificates". It's a bad idea in general but it can help with testing (you don't need to import CA then but users are vulnerable to rougue radius servers and APs).
2) I keep getting this warning about LDAP passwords, but it seems like radiusd did manage to get the two useful hashes, should I worry or is the message harmless?
[ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x394133304 [...] rlm_ldap: sambaLmPassword -> LM-Password == 0x433042322 [...] [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user matthias authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok
That's normal. Tou don't have "good" (cleartext) but NT-Password.
3) What is it I should be configuring exactly on my mobile phone? Is EAP-TLS and EAP-PEAP with EAP-MSCHAPv2 something that should be working or am I on the wrong track?
EAP-TLS requires a client certificate. Stick with PEAP. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Matthias Saou -
tnt@kalik.net