Windows XP hangs forever during PEAP auth on freeradius with winbind/AD backend
Hello all, I've been at this for two full days with no luck so I hope that folks here will take me under their wing. :-> I am trying to setup freeradius so that hosts running windows XP/SP2 can be authenticated via .1x. when plugged in to a 3Com 3226 switch. The freeradius server version is 2.1.4, built from source, I added SSL libraries since Debian's deb for freeradius doesn't ship with them. My server is running Debian Lenny. I am using winbind to provide authentication services to Windows AD 2003/sp2. I am following the directions posted on the freeradius wiki (which is a bit out of date btw) http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO I can list domain users via wbinfo -u and getent passwd. and doing wbinfo -a raduser%testing123 yields plaintext password authentication succeeded challenge/response password authentication succeeded ntlm_auth --request-nt-key --domain=VANGUARD --username=raduser password: NT_STATUS_OK: Success (0x0) However doing radtest fails, but read on before you jump to conclusions... radtest raduser testing123 localhost 0 testing123 Sending Access-Request of id 144 to 127.0.0.1 port 1812 User-Name = "raduser" User-Password = "testing123" NAS-IP-Address = 10.1.1.51 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=144, length=20 I believe my problem resembles the description on the FAQ re: windows machines http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with... I have patched the windows client per the instructions but no dice. I read the link http://support.microsoft.com/kb/814394/en-us but it is my understanding that freeradius supports winxp crafted certificates (via certs/xpextensions) out of the box when it builds the example certs in /etc/freeradius/certs so I am not sure what to do here Wireshark shows me that after the windows machine is plugged into my 3com switch on a port which is configured for radius that the windows client makes an Access-Request and receives and Access-Challenge. This happen twice and then nothing.... I'd appreciate any guidance folks could give me! Thanks! John Below is my output via /usr/sbin/freeradius -X: FreeRADIUS Version 2.1.5, for host i486-pc-linux-gnu, built on Apr 1 2009 at 10:01:13 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mschap.back including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/control-socket including configuration file /etc/freeradius/sites-enabled/inner-tunnel group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.1.8.100 { require_message_authenticator = no secret = "testing123" shortname = "10.1.8.100" nastype = "other" } client 10.1.0.0/16 { require_message_authenticator = no secret = "testing123" shortname = "1xTestNet" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/freeradius/freeradius.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/freeradius/freeradius.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.1.8.100 port 1814, id=184, length=108 User-Name = "VANGUARD\\raduser" NAS-Port = 1 EAP-Message = 0x020200150156414e47554152445c72616475736572 NAS-IP-Address = 10.1.8.100 NAS-Identifier = "dot1XTest" NAS-Port-Type = Ethernet Message-Authenticator = 0x489162eae33da6dd437c085cf868a6fd +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "VANGUARD\raduser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 184 to 10.1.8.100 port 1814 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe592b3e0e591aa0180248c52bcf71e4c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.8.100 port 1815, id=185, length=185 User-Name = "VANGUARD\\raduser" NAS-Port = 1 EAP-Message = 0x0203005019800000004616030100410100003d030149d52ffaa3e098edc3797d843b00b9f5c5de4d76a7a880122c543be012963c4400001600040005000a000900640062000300060013001200630100 State = 0xe592b3e0e591aa0180248c52bcf71e4c NAS-IP-Address = 10.1.8.100 NAS-Identifier = "dot1XTest" NAS-Port-Type = Ethernet Message-Authenticator = 0x5fb7a98454fce78f4c9d84a0b62feac5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "VANGUARD\raduser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 185 to 10.1.8.100 port 1815 EAP-Message = 0x0104040019c00000089b160301002a02000026030149d52ffba117142e0da0c94fa008cae442b571cb1ac64f22586a956479692b9f00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303430313137303534325a170d3130303430313137303534325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ab668810c01ace1cd17482fb8fdf0794eef27b5b8c86b14f3aa78eeb578c01984905b9829865a1d6a52edb6269d7d9c223eb75957436f7ee08d92656e477 EAP-Message = 0xa67667951100f7d496ab10f01aa381a7570df3cbaf6e5d71b2559772f51b6fa8976694b86fbffd5b9adb7637e66700cd0c51b0b9292457a7302566bc650e73269af692275fffaa15e3385db67d9cdcc383d49e7bfd1802898d2d5971158edec35c8f53d9a8353c5419e8a25ae16f49a83b0007917d442ab0b2500bd9f0e221120f519e1c5630f093dacbdd76f151d2d4cf7b03a1658a84d96e2fa21b43ab20a7893b982ac896fb437217cc45c35e1971b67a1e284e23e13c1007a63e71ae50df3d290203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101001faea3faa369c37c7e EAP-Message = 0x353deff4d0237f6cf4e6253a4bec3cf2a3b7d423211362a2dfc4b3a5366181c24bacf7d5f1978a75042f006b5cebb0be566cf6cb55f58642e895b5aef91e9a3a908a07333713b384876fdd42cb2ae132d7952b70d2848eb4cc229ef49cdcb196807f474d4924a0b1acba510057a6dd255607e0c929a5c2da69f66aa0d7ec8bab14504722175fbf5df9d0cd437e9c9e93683f63a6a1b5af3dc494088b23445ee0d25cfd7d6abeb7214bea80f44010896168b7f1d985bbedc55a7fe9c373407b1503040e1b6c7ad1a0ea6fa893593cca9984a3f4f3e41d26e18989448548ef958625479d7b835eb6e77a860bbc8bc1ded5d98fa68d2fa67e0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe592b3e0e496aa0180248c52bcf71e4c Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 184 with timestamp +49 Cleaning up request 1 ID 185 with timestamp +52 Ready to process requests.
I am trying to setup freeradius so that hosts running windows XP/SP2 can be authenticated via .1x. when plugged in to a 3Com 3226 switch. The freeradius server version is 2.1.4, built from source, I added SSL libraries since Debian's deb for freeradius doesn't ship with them. My server is running Debian Lenny.
I am using winbind to provide authentication services to Windows AD 2003/sp2.
I am following the directions posted on the freeradius wiki (which is a bit out of date btw)
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I can list domain users via wbinfo -u and getent passwd.
and doing
wbinfo -a raduser%testing123 yields
plaintext password authentication succeeded challenge/response password authentication succeeded
ntlm_auth --request-nt-key --domain=VANGUARD --username=raduser password: NT_STATUS_OK: Success (0x0)
However doing radtest fails, but read on before you jump to conclusions...
Let's not. Updated howto is on: http://deployingradius.com/documents/configuration/active_directory.html Have you imported CA certificate (ca.der) onto the client? Ivan Kalik Kalik Informatika ISP
Let's not. Updated howto is on:
http://deployingradius.com/documents/configuration/active_directory.html
Thanks for the updated howto. I followed and it and can successfully complete every step except the last, (e.g. the one where I must use a windows client to send an MS-CHAP authentication request). As a side note when I do ntlm_auth --request-nt-key --domain=VANGUARD --username=raduser --password=testing123 I get NT_STATUS_OK: Success (0x0) The howto you sent me says "If all goes well, you should see authentication succeeding (NT_STATUS_OK). You should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication." I (0x0) the output being referred to or is something missing here?
Have you imported CA certificate (ca.der) onto the client?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have imported the ca.der onto the client (allowing Windows to automatically choose where to palce it) but still no joy. Likely I have the client configured incorrectly. In fact, I am having a great deal of trouble getting the network adapter to reliably make a request to the free radius server. Any advice is much appreciated. John
Hi,
The howto you sent me says "If all goes well, you should see authentication succeeding (NT_STATUS_OK). You should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication." I (0x0) the output being referred to or is something missing here?
what version of samba are you running? what distro are you running? alan
On Sat, Apr 4, 2009 at 1:16 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
The howto you sent me says "If all goes well, you should see authentication succeeding (NT_STATUS_OK). You should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication." I (0x0) the output being referred to or is something missing here?
what version of samba are you running? what distro are you running?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, Samba/winbind version 2:32.5-4 on Debian Lenny (stable). John
On Apr 6, 2009, at 3:49 PM, john wrote:
On Sat, Apr 4, 2009 at 1:16 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
The howto you sent me says "If all goes well, you should see authentication succeeding (NT_STATUS_OK). You should also see the NT_KEY output, which is needed in order for FreeRADIUS to perform MS-CHAP authentication." I (0x0) the output being referred to or is something missing here?
what version of samba are you running? what distro are you running?
alan
Samba/winbind version 2:32.5-4 on Debian Lenny (stable).
We run Debian, and we currently have our samba packages pinned at version 2:3.0.30-3 due to this issue: http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg0028... See the Debain APT manual for information on package pinning. That said, your debug output (if that was all of it) didn't seem to suggest you're running into this particular issue just yet. I say that because your EAP exchange never progresses to the point where ntlm_auth is executed by FreeRADIUS. Things seem to be hanging right after the outer TLS tunnel is established, which may point to a certificate problem. Are you sure your server certificate is OK? Mike Loosbrock Bethel University Network Services 651-638-6723
On Apr 8, 2009, at 10:07 AM, Mike Loosbrock wrote:
We run Debian, and we currently have our samba packages pinned at version 2:3.0.30-3 due to this issue:
http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg0028...
List, I'd be willing to report this bug to the Samba team as seems to be an upstream issue. Is there any other specific info they might want or need? Mike Loosbrock Bethel University Network Services 651-638-6723
We run Debian, and we currently have our samba packages pinned at version 2:3.0.30-3 due to this issue:
http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg0028...
See the Debain APT manual for information on package pinning.
Thanks Mike! I'll look into this a bit more although as you say I am not quite having that issue (yet). :->
That said, your debug output (if that was all of it) didn't seem to suggest you're running into this particular issue just yet. I say that because your EAP exchange never progresses to the point where ntlm_auth is executed by FreeRADIUS. Things seem to be hanging right after the outer TLS tunnel is established, which may point to a certificate problem. Are you sure your server certificate is OK?
I am not sure that it is, I am a noob. I built freeradius from the current stable source, but I used apt to install openssl. My understanding was that when I fired freeradius up for the first time it would automatically populate /etc/freeradius/certs with all of the files necessary to make a proper peap connection. Can you suggest a way to test the cert? Wireshark tells me that my 3Com 3226 switch is sending an eap reject immediately after I connect the supplicant to a port protected with .1x. I don't see any traffic between the switch and freeradius so I am wondering if the switch doesn't support peap? Perhaps I should back off and try md5 or something? Also since I am throwing out the litany of my ignorance I haven't solved in a good way a complaint that I get when I am testing via 'wbinfo -a username%password'. I've had to chmod 777 /var/run/samba/winbindd_privileged in order to use the socket, of course restarting winbind resets the perms here. I saw something about enabling extending acls's on the file system to work around this issue. I'd be interested to know what you ended up doing. Thanks for the reply! John
Mike Loosbrock Bethel University Network Services 651-638-6723
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 8, 2009, at 11:28 AM, john wrote:
Can you suggest a way to test the cert?
Well, you can use the openssl utility to see what your server certificate contains: $ openssl x509 -text -in <server-cert-file>
Wireshark tells me that my 3Com 3226 switch is sending an eap reject immediately after I connect the supplicant to a port protected with .1x. I don't see any traffic between the switch and freeradius so I am wondering if the switch doesn't support peap? Perhaps I should back off and try md5 or something?
Your switch doesn't *need* to support any particular EAP type because the EAP exchange is actually between the supplicant and RADIUS. Your switch just passes the messages back and forth between the two. If you see your switch doing EAP with the supplicant (i.e. EAP is happening, but you don't see it at the RADIUS server), your switch may be doing what some vendors call 'EAP off-loading'. In other words, the switch is handling EAP to get at the credentials it eventually authenticates against RADIUS. But I don't know if 3Com switches do this, and if they do, it's probably not default.
Also since I am throwing out the litany of my ignorance I haven't solved in a good way a complaint that I get when I am testing via 'wbinfo -a username%password'. I've had to chmod 777 /var/run/samba/winbindd_privileged in order to use the socket, of course restarting winbind resets the perms here. I saw something about enabling extending acls's on the file system to work around this issue. I'd be interested to know what you ended up doing.
Just add the freerad user to the winbindd_priv group. Mike Loosbrock Bethel University Network Services 651-638-6723
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
john -
Mike Loosbrock -
tnt@kalik.net