Linksys WIFI Authentication using freeradius?
hello I have a Linksys WRT-110 router which supports various security mechanisms: WPA & WPA2 Personal, WPA Enterprise and Radius authentication. Today WPA2 Personal use where all my clients use the same key or password to connect. I want to change this so that each user can connect with username and password in a personal way, I was thinking my router to authenticate against a radius server. google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. It OpenWrt I saw as another variant to follow and the router does not appear in the list of supported devices. Ideas? Michel ---------------------------------------------- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba.
On Wed, Dec 7, 2011 at 1:15 PM, <michel@casa.co.cu> wrote:
google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client.
I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side?
PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc. On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate. Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same.
Well, I have several clients with different operating systems: Windows, Linux, Apple.
Something as simple as putting the username and password.
Once you get pass certificate trust issue, it's a matter of putting username and password. -- Fajar
On Wednesday 07 December 2011 01:26:08 Fajar A. Nugraha wrote:
On Wed, Dec 7, 2011 at 1:15 PM, <michel@casa.co.cu> wrote:
google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client.
I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side?
PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc.
On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate.
Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same.
Well, I have several clients with different operating systems: Windows, Linux, Apple.
Something as simple as putting the username and password.
Once you get pass certificate trust issue, it's a matter of putting username and password.
Hi Fajar Thanks for reply me. If PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC works with one certificate on the side of the server, of the three methods what you recomend me to use in the server? Did you have a manual, doc, i can use to setting up the authentication with freeradius with PEAP-TTLS or PEAP-MSCHAPv2 or PEAP-GTC and mysql? Michel
On 12/07/2011 08:37 AM, Michel Bulgado wrote:
On Wednesday 07 December 2011 01:26:08 Fajar A. Nugraha wrote:
On Wed, Dec 7, 2011 at 1:15 PM,<michel@casa.co.cu> wrote:
google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client.
I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc.
On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate.
Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same.
Well, I have several clients with different operating systems: Windows, Linux, Apple.
Something as simple as putting the username and password. Once you get pass certificate trust issue, it's a matter of putting username and password.
Hi Fajar
Thanks for reply me.
If PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC works with one certificate on the side of the server, of the three methods what you recomend me to use in the server?
Did you have a manual, doc, i can use to setting up the authentication with freeradius with PEAP-TTLS or PEAP-MSCHAPv2 or PEAP-GTC and mysql?
Michel
At last! Finally after much struggle, I configure freeradius with mysql to authenticate wireless users. EAP-TTLS But another problem arises for me: After the user to authenticate and connect to wireless, I noticed that the table "RadAcct" was empty, probing the inner-tunnel file found this: There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. What other variants, I can choose to run the accounting? Ideas?
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgado <michel@casa.co.cu> wrote:
After the user to authenticate and connect to wireless, I noticed that the table "RadAcct" was empty, probing the inner-tunnel file found this:
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
What other variants, I can choose to run the accounting?
sites-available/default look for "sql" in accounting section. -- Fajar
On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgado<michel@casa.co.cu> wrote:
After the user to authenticate and connect to wireless, I noticed that the table "RadAcct" was empty, probing the inner-tunnel file found this:
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
What other variants, I can choose to run the accounting? sites-available/default
look for "sql" in accounting section.
This is my accounting section in /etc/raddb/sites-available/default accounting { detail sql } And don't work Michel
Michel Bulgado <michel@casa.co.cu> escribió:
On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgado<michel@casa.co.cu> wrote:
After the user to authenticate and connect to wireless, I noticed that the table "RadAcct" was empty, probing the inner-tunnel file found this:
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
What other variants, I can choose to run the accounting? sites-available/default
look for "sql" in accounting section.
This is my accounting section in /etc/raddb/sites-available/default
accounting { detail sql }
And don't work
Michel
Hello again As confirmed in my previous email, I have a problem, I have configured freeradius supports tunneled TLS or TTLS best known for, my users can connect using a username and password, but after connecting, not performing the accounting in mysql, I was reviewing seconds "There are no accounting Requests inside of EAP-TTLS or PEAP tunnels." And in turn asked me take this opportunity to ask Alan for who knows more about the subject: 1 - You know how to get them to perform the accounting either through a script? In case there is no solution with TTLS: 2 - Which of these authentication mechanisms "PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC," accounting works and in turn not necessarily need to install client-side certificates? regards Michel ---------------------------------------------- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba.
On Fri, Dec 9, 2011 at 9:39 AM, <michel@casa.co.cu> wrote:
Michel Bulgado <michel@casa.co.cu> escribió:
On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgado<michel@casa.co.cu> wrote:
After the user to authenticate and connect to wireless, I noticed that the table "RadAcct" was empty, probing the inner-tunnel file found this:
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
What other variants, I can choose to run the accounting?
sites-available/default
look for "sql" in accounting section.
This is my accounting section in /etc/raddb/sites-available/default
accounting { detail sql }
And don't work
Michel
Hello again
As confirmed in my previous email, I have a problem, I have configured freeradius supports tunneled TLS or TTLS best known for, my users can connect using a username and password, but after connecting, not performing the accounting in mysql, I was reviewing seconds
Let's go back to the basics. Does your NAS send accounting packets? (hint: run FR in debug mode, then get a client to connect and disconnect) Some NAS (last time I tried with dd-wrt) it can authenticate using EAP, but it can't send accounting packet. -- Fajar
On 12/08/2011 10:06 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 9:39 AM,<michel@casa.co.cu> wrote:
Michel Bulgado<michel@casa.co.cu> escribió:
On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgado<michel@casa.co.cu> wrote:
After the user to authenticate and connect to wireless, I noticed that the table "RadAcct" was empty, probing the inner-tunnel file found this:
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
What other variants, I can choose to run the accounting? sites-available/default
look for "sql" in accounting section.
This is my accounting section in /etc/raddb/sites-available/default
accounting { detail sql }
And don't work
Michel
Hello again
As confirmed in my previous email, I have a problem, I have configured freeradius supports tunneled TLS or TTLS best known for, my users can connect using a username and password, but after connecting, not performing the accounting in mysql, I was reviewing seconds Let's go back to the basics.
Does your NAS send accounting packets? (hint: run FR in debug mode, then get a client to connect and disconnect) Some NAS (last time I tried with dd-wrt) it can authenticate using EAP, but it can't send accounting packet.
Hi Fajar I run radiusd in debug mode : This is the output of the request: rad_recv: Access-Request packet from host 192.168.25.15 port 32771, id=125, length=121 User-Name = "michel" NAS-IP-Address = 192.168.30.1 NAS-Port = 0 Called-Station-Id = "00-1E-E5-F4-7B-21" Calling-Station-Id = "00-1F-E1-2B-28-57" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d696368656c Message-Authenticator = 0x72d68fa1027b67d016dd173b01c92dcf +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> michel [sql] sql_set_user escaped user --> 'michel' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'michel' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'michel' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'michel' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Computacion' ORDER BY id [sql] User found in group Computacion [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Computacion' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-1F-E1-2B-28-57 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-1F-E1-2B-28-57 ++[checkval] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 125 to 192.168.25.15 port 32771 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-User Acct-Interim-Interval = 60 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86f76f4a86d635fb1337e0b98514b2f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.25.15 port 32771, id=126, length=240 User-Name = "michel" NAS-IP-Address = 192.168.30.1 NAS-Port = 0 Called-Station-Id = "00-1E-E5-F4-7B-21" Calling-Station-Id = "00-1F-E1-2B-28-57" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202007015800000006616030100610100005d03014ee2247053e29359e617993c10c473b4005b225795041ba292b2e85d81f47f5500003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100 State = 0xa86f76f4a86d635fb1337e0b98514b2f Message-Authenticator = 0x5694aee708105901b70a2e10b65dd5e9 +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 2 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 102 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0061], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 08d7], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 126 to 192.168.25.15 port 32771 EAP-Message = 0x0103040015c000000b26160301002a0200002603014ee22464fc31222fd72e6dfb95090f8d8a8fabaa8198c60e852a329868b156050000390016030108d70b0008d30008d00003d8308203d4308202bca003020102020103300d06092a864886f70d01010405003081aa310b3009060355040613024355311c301a06035504081313436975646164206465206c6120486162616e6131123010060355040713094c6120486162616e61311d301b060355040a131443617361206465206c617320416d6572696361733127302506092a864886f70d0109011618636f6d7075746163696f6e40636173612e63756c742e63753121301f0603550403131843 EAP-Message = 0x6572746966696361646f206465204175746f7269646164301e170d3131313230383134303531365a170d3132313230373134303531365a308196310b3009060355040613024355311c301a06035504081313436975646164206465206c6120486162616e61311d301b060355040a131443617361206465206c617320416d6572696361733121301f06035504031318436572746966696361646f2064656c205365727669646f723127302506092a864886f70d0109011618636f6d7075746163696f6e40636173612e63756c742e637530820122300d06092a864886f70d01010105000382010f003082010a0282010100d57576a7332583af627ca1d9 EAP-Message = 0x77fc86c55396361bcec202a428b40a88420590fb2d9fa5ee35cf68290385d1b08cb3a4cd236d7ccc3555ab635adbbadb6fd9614c63fac1785e628a4d8437e3ef31dd3de5eac3a2dac83fe13e6414f15ba5044287e048f9c7c34851db1191733b9db7a1b9573a40e65e89e0202ec0a7e2b03b388764f734007e74efeab5cf6c6692ceb1f511b66c46fd845c5a1149e15d5ce67976e5de56ad41d2da391053c2ec80503e2c74b51e5c9553ab8f0392d933b2c78c3495644bf442b1cc86c0781801084c35f224b573f69c5c2efff94cb54d95759af4b8f2561182cfd9047f1505adfb11dfc73a4b1492c81f95428e0beb86252129b50203010001a3173015 EAP-Message = 0x30130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100e2d2320e9170a1b34de52dffbebc93da8d48eb55a5bc3a7c2cce2cf9ff2c3bf1ac1526248f937ee845c5ddb46192e10ffa2f229a4e06b4cbf54dbeff5cf39cb46a958c69fd4aeff29979c69ce7093b4091d2d6073c9f95ca13b9e09248bd500224c4ad2be6d6f80cefe20b8521b99c219e3d6b3775e6db17cc316f4908e366c6dd9f5490fa183b3f5702dd687dd01226563e106638165ef92141313eb0095ecbd8c2cfee087d576cb6a1efeb5a020993d9fb2cde20b85e2c3e103dbe62702dc6c6b17764bf07b5253ce7f02fc3dac70cf7e1e0d1 EAP-Message = 0x017a1eff3d4b8c66e93d52e3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86f76f4a96c635fb1337e0b98514b2f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.25.15 port 32771, id=127, length=134 User-Name = "michel" NAS-IP-Address = 192.168.30.1 NAS-Port = 0 Called-Station-Id = "00-1E-E5-F4-7B-21" Calling-Station-Id = "00-1F-E1-2B-28-57" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 State = 0xa86f76f4a96c635fb1337e0b98514b2f Message-Authenticator = 0xf198d4dbc6aac419c4bdef060225ba28 +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 127 to 192.168.25.15 port 32771 EAP-Message = 0x0104040015c000000b26e62af205a7501d47c3785e67ac1087e2ed9272998d0982ddd2040d6e7def5a290004f2308204ee308203d6a003020102020900f748ec3ca828a225300d06092a864886f70d01010505003081aa310b3009060355040613024355311c301a06035504081313436975646164206465206c6120486162616e6131123010060355040713094c6120486162616e61311d301b060355040a131443617361206465206c617320416d6572696361733127302506092a864886f70d0109011618636f6d7075746163696f6e40636173612e63756c742e63753121301f06035504031318436572746966696361646f206465204175746f72 EAP-Message = 0x69646164301e170d3131313230383134303531365a170d3132313230373134303531365a3081aa310b3009060355040613024355311c301a06035504081313436975646164206465206c6120486162616e6131123010060355040713094c6120486162616e61311d301b060355040a131443617361206465206c617320416d6572696361733127302506092a864886f70d0109011618636f6d7075746163696f6e40636173612e63756c742e63753121301f06035504031318436572746966696361646f206465204175746f726964616430820122300d06092a864886f70d01010105000382010f003082010a0282010100f52aae6d2dfa2141001d2a EAP-Message = 0x9541a676d0639d9b4bef36f4a3bce6881af19b89c8fcd08135eb3241e8da66c959f13fb6178d698515c55ed09efbc4c4e61db406c6fa9a4fb887bf6dc033112d8a7a8458549a35a67cf94657ea63b285153e88700c889ec2faa7f15ee0af229dcfe84348f7d7e0052097866ca33a80c36a7c40839ddde3875bc17e19045925a16a2d7fa1c3391cfb0f1d9391ba930aca386e0c7f52b94b6f4d18892e71357280b2403c03eacc385d9ae3ad35b9dabfd615504c9fb1dec653a76ec9a179b32d58983ecddbbf3dcaaec07f2a240ffa5edeeda0b0204629b94798d635e645069f0d12ca30094fbeb777ca3cbbf4f8497d76982f400f050203010001a38201 EAP-Message = 0x133082010f301d0603551d0e04160414b072beac79b158235aaa0656f01f1dcc205f27763081df0603551d230481d73081d48014b072beac79b158235aaa0656f01f1dcc205f2776a181b0a481ad3081aa310b3009060355040613024355311c301a06035504081313436975646164206465206c6120486162616e6131123010060355040713094c6120486162616e61311d301b060355040a131443617361206465206c617320416d6572696361733127302506092a864886f70d0109011618636f6d7075746163696f6e40636173612e63756c742e63753121301f06035504031318436572746966696361646f206465204175746f72696461648209 EAP-Message = 0x00f748ec3ca828a225300c06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86f76f4aa6b635fb1337e0b98514b2f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.25.15 port 32771, id=128, length=134 User-Name = "michel" NAS-IP-Address = 192.168.30.1 NAS-Port = 0 Called-Station-Id = "00-1E-E5-F4-7B-21" Calling-Station-Id = "00-1F-E1-2B-28-57" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061500 State = 0xa86f76f4aa6b635fb1337e0b98514b2f Message-Authenticator = 0x733083435506c2fd5710480ec62621e7 +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 128 to 192.168.25.15 port 32771 EAP-Message = 0x01050344158000000b2603551d13040530030101ff300d06092a864886f70d010105050003820101004d2c051b8cea5b64d04c742985238a5d7894b2c46ebca82d5b6a7863eb3d32cbe0924ec229f2a665d769af1650d8ae6b845cad219b4c6fbdda34734729954c0342cf24b4aa4add2167e4357536629673f1f3a804cb5eae27f0d09f58bb82443c60f9b66851aa04d53e3b06971f4c8b87679729fef8b3605d2c9a2cc4bdb52e611d43f37a9acd83caa73d9cf0d24e5763ab62c67aa0398a8361941001c7d562191eed395ad4c64c31e7be21f959327386cd9b00862b2159b71166e51e61ec0b52ebcd03ca40fe974954bf2358c5adae5eb90d5d3c EAP-Message = 0x6378ec8c9129f38c01979ba6cb8b3d2a1e8bd1ae7097042240ad6a2bfe0c7a537d9ea76b5de5ad41d06e7d75160301020d0c0002090080d91db7001ab465a9e32ce323cc9e535996eb3414cfb54938a255cdb74cc6de3609438a4e925cc8a759e9879e3bb1b68ab14bfe541180a7ccb857cb563b342dcee2571f99813d14eab540d34a00e8f1938792a3edf9a6e624b2dd509e6609eb80505243fa2d157896406d82f51e955d12358f23b918a496c34cd95e248d893ebb00010200802ceb7f0694badf2de08b8657905f5761743646e601c9707fe47964cd91f47a8548dcdda5f9b43b0a98d1e520471ddcd7536ed217e9fef8c3c928cc32fa2768eac8 EAP-Message = 0x1bfa63f64bc0ad3758e72a5dfd2fa94e5348eac08f761991ac773eb020d11a470749d79333052e43f0fd2ed3b2c4becdbc2e0c47e1c49d68b2adc481f1d7bb010069314ceff1c53856cba2ebb8185ffa1057fbe79c472719727f6a2f7acf8e330e4dd1a6fea8d0fca9946289ad808f55d558190769155fa58d2db6bd3c4eb9b563d7f1ef5f45b4d7c20a5b92a4200c75a2f494646a60364e1e670665206402e3b46933665c5a8bbb0d4237ec533c0f94720fa1032f2ce6569aa396aad891329edd9b9d78e7568341690d8fce0fff717451997e64f30d0a3c2157ba387028a314aa4d4ae4a6869dca63e1acda9b1328479576b32da7d83637a738879381 EAP-Message = 0x2199a2e4737dee3b09178f0f5118b3d279fe6ef5e0f46ee7ead1e91e336c1a609b30e2b17a3e201551c55fded7f06ca449bdf1ae825a7a8dfa5798adfa017556bb2e7aef16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86f76f4ab6a635fb1337e0b98514b2f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.25.15 port 32771, id=129, length=336 User-Name = "michel" NAS-IP-Address = 192.168.30.1 NAS-Port = 0 Called-Station-Id = "00-1E-E5-F4-7B-21" Calling-Station-Id = "00-1F-E1-2B-28-57" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500d01580000000c61603010086100000820080bd0e0d270c383b42e29ecc66c3a593e6cae447f746f04bd0121ae9b23501a9a914ee40895ccb2c6f1c6e8f8d93733adf138963e1245262f0551c0d4ae354df565e2255c6ab9c8c565c2e3a488ffc0ec61c3886751900c0ffba40428cd49fc98444119d1869c38f0191ae2ad6f09b47e5ec95e1f2c869daa17975bd922392dc911403010001011603010030c942db851014bdd56963fe47985deca4eea56d75828cc4f110b16dd390320495bc76eb481ebae3f10fd0663b4d7eff8a State = 0xa86f76f4ab6a635fb1337e0b98514b2f Message-Authenticator = 0x15bfb65c504550c1336866f41c2e83ca +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 5 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 198 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 129 to 192.168.25.15 port 32771 EAP-Message = 0x0106004515800000003b140301000101160301003033123d4a6842016e35751f216c9e91cbdbe15ff55afed821df65e05b102d2bf27a9250573a71471ce51c606a31060e6a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa86f76f4ac69635fb1337e0b98514b2f Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.25.15 port 32771, id=130, length=240 User-Name = "michel" NAS-IP-Address = 192.168.30.1 NAS-Port = 0 Called-Station-Id = "00-1E-E5-F4-7B-21" Calling-Station-Id = "00-1F-E1-2B-28-57" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206007015001703010020d5141f0692c34b252a63135bb285cf36c75bf5fbeb7225465599981ac9c51c76170301004015fc3a9de13e30b96141101250b48fed4824d60415dd99090d301715e6827ae00700f3bbcd6284335d5cb86008ccc3ed2fa3a099e777231f02089478a72a6fa9 State = 0xa86f76f4ac69635fb1337e0b98514b2f Message-Authenticator = 0x211db68e0847241824b6b0b0ccd11acf +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 6 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "michel" User-Password = "xxxxx" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "michel" User-Password = "xxxxx" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} [sql] expand: %{User-Name} -> michel [sql] sql_set_user escaped user --> 'michel' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'michel' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'michel' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'michel' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Computacion' ORDER BY id [sql] User found in group Computacion [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Computacion' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok [pap] Normalizing MD5-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "xxxxx" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok +- entering group session {...} ++[sql] returns noop WARNING: Empty section. Using default return values. } # server inner-tunnel [ttls] Got tunneled reply code 2 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-User Acct-Interim-Interval = 60 [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/192.168.25.15/reply-detail-20111209 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.25.15/reply-detail-20111209 [reply_log] expand: %t -> Fri Dec 9 10:08:20 2011 ++[reply_log] returns ok [sql] expand: %{User-Name} -> michel [sql] sql_set_user escaped user --> 'michel' [sql] expand: %{User-Password} -> [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'michel', '', 'Access-Accept', '2011-12-09 10:08:20') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'michel', '', 'Access-Accept', '2011-12-09 10:08:20') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok Sending Access-Accept of id 130 to 192.168.25.15 port 32771 MS-MPPE-Recv-Key = 0x1ea6c98931e212cac0d8115539d9f54a3b1a4b68b651e66da7c27b58c192dff5 MS-MPPE-Send-Key = 0x2e85032cb54145d7527d3c0c4e75d36e33d615fa73059ef62aa782dbdde687d9 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "michel" Finished request 5. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 125 with timestamp +5 Cleaning up request 1 ID 126 with timestamp +5 Cleaning up request 2 ID 127 with timestamp +5 Cleaning up request 3 ID 128 with timestamp +5 Waking up in 0.1 seconds. Cleaning up request 4 ID 129 with timestamp +5 Cleaning up request 5 ID 130 with timestamp +5 Ready to process requests. So, i don't see accounting packet, could be supressed by the TTLS or Linkys Router dont send that packet in stream? Regards Michel
On 12/09/2011 10:49 AM, Alan DeKok wrote:
Michel Bulgado wrote:
So, i don't see accounting packet, could be supressed by the TTLS or Absolutely not.
Linkys Router dont send that packet in stream? Yes.
Alan DeKok.
Alan Excuse me everyone on the list for insisting so much with this issue, I'm interested in solving this problem. In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so? So should I change the mechanism to use! Can you recommend any, that the process simple client-side that does not involve installation of certificates in the client side. As simple as the user only have to put user and password to connect Regards Michel
Michel Bulgado wrote:
Excuse me everyone on the list for insisting so much with this issue, I'm interested in solving this problem.
Solving the problem means buying a NAS which works. Linksys ones are usually NOT good enough for what you want to do.
In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so?
I have no idea what that means.
So should I change the mechanism to use!
If the NAS isn't doing accounting correctly, blame the NAS. This is *ALWAYS* the problem with RADIUS. The NAS is in control of *everything*. If something is going wrong, then BLAME THE NAS. No amount of poking FreeRADIUS or posting on this list will result in your NAS magically working.
Can you recommend any, that the process simple client-side that does not involve installation of certificates in the client side.
As simple as the user only have to put user and password to connect
It's impossible. WiFi 802.1X doesn't work that way. Alan DeKok.
On Fri, Dec 9, 2011 at 11:36 PM, Michel Bulgado <michel@casa.co.cu> wrote:
In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so?
So should I change the mechanism to use!
Like Alan said, some NAS simply won't work for what you're trying to achieve, because it doesn't send accounting packets. Fix the NAS. There is another alternative. Instead of using 802.1x, you could use a captive portal. chllispot (and derivaties) is widely used and can send accounting packets just fine. It's more complex to setup (e.g. requires you setup a web server, and have a server or wireless AP which can function as captive portal), but it should work with any wireless access point that either: - captive-portal-capable (e.g. anything that can be flashed with dd-wrt standard or higher), OR - can bridge wireless to wired network, effectively making wireless clients to be in the same ethernet broadcast domain as wired clients. You'd still need a captive portal, but in this setup the captive portal can be another AP or a server. -- Fajar
"Fajar A. Nugraha" <list@fajar.net> escribió:
On Fri, Dec 9, 2011 at 11:36 PM, Michel Bulgado <michel@casa.co.cu> wrote:
In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so?
So should I change the mechanism to use!
Like Alan said, some NAS simply won't work for what you're trying to achieve, because it doesn't send accounting packets. Fix the NAS.
There is another alternative. Instead of using 802.1x, you could use a captive portal. chllispot (and derivaties) is widely used and can send accounting packets just fine. It's more complex to setup (e.g. requires you setup a web server, and have a server or wireless AP which can function as captive portal), but it should work with any wireless access point that either: - captive-portal-capable (e.g. anything that can be flashed with dd-wrt standard or higher), OR - can bridge wireless to wired network, effectively making wireless clients to be in the same ethernet broadcast domain as wired clients. You'd still need a captive portal, but in this setup the captive portal can be another AP or a server.
-- Fajar
Fajar My Wlan is a WRT-110, so DD-WRT is not supported on this model. I wondered if I could at least implement "Simultaneous-Use" so that I can limit the user to connect once, but I think it is not possible, it would at least check the table raddact is where you store the Accounting and returning to the above "not possible". This router is commercial, maybe for its commercial nature, the firmware you have installed, do not send those packets. Regards Michel ---------------------------------------------- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba.
participants (4)
-
Alan DeKok -
Fajar A. Nugraha -
Michel Bulgado -
michel@casa.co.cu