Hi, I had been using EAP-TTLS, but I've commented in an earlier post, I have no luck with securew2 and Vista. So I am planning use a "secondary password" for radius in clear-text. But I'd want to know if TTLS and PEAP can live together, my current eap.conf is as follow: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_file = /etc/pki/tls/certs/ips-spectrum-key.pem certificate_file = /etc/pki/tls/certs/ips-spectrum-crt.pem CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random cipher_list = "DEFAULT" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } } -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
Sergio Belkin wrote:
Hi,
I had been using EAP-TTLS, but I've commented in an earlier post, I have no luck with securew2 and Vista. So I am planning use a "secondary password" for radius in clear-text. But I'd want to know if TTLS and PEAP can live together, my current eap.conf is as follow:
Sure. We use both. However; you may have problems forcing peap/mschap to use a different password than ttls/md5 - it depends what control items you're setting. This may be easier with FR2 - you can specify that the ttls and peap modules dispatch inner requests to a different virtual server.
Sergio Belkin wrote:
Hi,
I had been using EAP-TTLS, but I've commented in an earlier post, I have no luck with securew2 and Vista. So I am planning use a "secondary password" for radius in clear-text. But I'd want to know if TTLS and PEAP can live together, my current eap.conf is as follow:
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_file = /etc/pki/tls/certs/ips-spectrum-key.pem certificate_file = /etc/pki/tls/certs/ips-spectrum-crt.pem CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random cipher_list = "DEFAULT" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } }
Yes. If the supplicant doesn't support TTLS it'll NAK the offer of EAP-TTLS and request PEAP. Default EAP type specifies the EAP type the server initially attempts to negotiate with the supplicant. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
2008/4/29 Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
Sergio Belkin wrote:
Hi,
I had been using EAP-TTLS, but I've commented in an earlier post, I have no luck with securew2 and Vista. So I am planning use a "secondary password" for radius in clear-text. But I'd want to know if TTLS and PEAP can live together, my current eap.conf is as follow:
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_file = /etc/pki/tls/certs/ips-spectrum-key.pem certificate_file = /etc/pki/tls/certs/ips-spectrum-crt.pem CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random cipher_list = "DEFAULT" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } }
Yes. If the supplicant doesn't support TTLS it'll NAK the offer of EAP-TTLS and request PEAP. Default EAP type specifies the EAP type the server initially attempts to negotiate with the supplicant.
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Phil and Arran. I am testing peap and ttls and I only modified default_eap_type to be peap. But I can't connect, this part of the debugging output: rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for pepepe with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [pepepe/<via Auth-Type = EAP>] (from client UP-PVIII-VII port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled (pepepe is the user) I am setting userPassword in cleartext with Luma for LDAP (http://luma.sourceforge.net/ ). What's wrong? Thanks in advance. Should I define 2 virtual servers as Phil suggested? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for pepepe with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
..
I am setting userPassword in cleartext with Luma for LDAP (http://luma.sourceforge.net/ ). What's wrong?
You have configured wrong password attribute (read the debug you have posted and ldap.attrmap). userPassword maps to User-Password not Cleartext-Password. Ivan Kalik Kalik Informatika ISP
2008/4/29 Ivan Kalik <tnt@kalik.net>:
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for pepepe with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
..
I am setting userPassword in cleartext with Luma for LDAP (http://luma.sourceforge.net/ ). What's wrong?
You have configured wrong password attribute (read the debug you have posted and ldap.attrmap). userPassword maps to User-Password not Cleartext-Password.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Ivan, I don't found userPassword, does $GENERIC$ have to do with it? This is my ldap.attr,map (I didn't edit): checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword checkItem SMB-Account-CTRL-TEXT acctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress replyItem Service-Type radiusServiceType replyItem Framed-Protocol radiusFramedProtocol replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask replyItem Framed-Route radiusFramedRoute replyItem Framed-Routing radiusFramedRouting replyItem Filter-Id radiusFilterId replyItem Framed-MTU radiusFramedMTU replyItem Framed-Compression radiusFramedCompression replyItem Login-IP-Host radiusLoginIPHost replyItem Login-Service radiusLoginService replyItem Login-TCP-Port radiusLoginTCPPort replyItem Callback-Number radiusCallbackNumber replyItem Callback-Id radiusCallbackId replyItem Framed-IPX-Network radiusFramedIPXNetwork replyItem Class radiusClass replyItem Session-Timeout radiusSessionTimeout replyItem Idle-Timeout radiusIdleTimeout replyItem Termination-Action radiusTerminationAction replyItem Login-LAT-Service radiusLoginLATService replyItem Login-LAT-Node radiusLoginLATNode replyItem Login-LAT-Group radiusLoginLATGroup replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone replyItem Port-Limit radiusPortLimit replyItem Login-LAT-Port radiusLoginLATPort replyItem Reply-Message radiusReplyMessage -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
You need to add the entry for Cleartext-Password. Something like: checkItem Cleartext-Password clrtxtPassword Ivan Kalik Kalik Informatika ISP Dana 29/4/2008, "Sergio Belkin" <sebelk@gmail.com> piše:
2008/4/29 Ivan Kalik <tnt@kalik.net>:
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for pepepe with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
..
I am setting userPassword in cleartext with Luma for LDAP (http://luma.sourceforge.net/ ). What's wrong?
You have configured wrong password attribute (read the debug you have posted and ldap.attrmap). userPassword maps to User-Password not Cleartext-Password.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
Thanks Ivan, I don't found userPassword, does $GENERIC$ have to do with it?
This is my ldap.attr,map (I didn't edit):
checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem
checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword checkItem SMB-Account-CTRL-TEXT acctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress
replyItem Service-Type radiusServiceType replyItem Framed-Protocol radiusFramedProtocol replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask replyItem Framed-Route radiusFramedRoute replyItem Framed-Routing radiusFramedRouting replyItem Filter-Id radiusFilterId replyItem Framed-MTU radiusFramedMTU replyItem Framed-Compression radiusFramedCompression replyItem Login-IP-Host radiusLoginIPHost replyItem Login-Service radiusLoginService replyItem Login-TCP-Port radiusLoginTCPPort replyItem Callback-Number radiusCallbackNumber replyItem Callback-Id radiusCallbackId replyItem Framed-IPX-Network radiusFramedIPXNetwork replyItem Class radiusClass replyItem Session-Timeout radiusSessionTimeout replyItem Idle-Timeout radiusIdleTimeout replyItem Termination-Action radiusTerminationAction replyItem Login-LAT-Service radiusLoginLATService replyItem Login-LAT-Node radiusLoginLATNode replyItem Login-LAT-Group radiusLoginLATGroup replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone replyItem Port-Limit radiusPortLimit replyItem Login-LAT-Port radiusLoginLATPort replyItem Reply-Message radiusReplyMessage
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2008/4/29 Ivan Kalik <tnt@kalik.net>:
You need to add the entry for Cleartext-Password. Something like:
checkItem Cleartext-Password clrtxtPassword
Ivan Kalik Kalik Informatika ISP
Hmmmm. I advanced and before of reading your answer I added: checkItem User-Password userPassword replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId end of snip It worked! Anywat Is that right? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
That probably won't work in 2.0. Mapping to Cleartext-Password will. Ivan Kalik Kalik Informatika ISP Dana 29/4/2008, "Sergio Belkin" <sebelk@gmail.com> piše:
2008/4/29 Ivan Kalik <tnt@kalik.net>:
You need to add the entry for Cleartext-Password. Something like:
checkItem Cleartext-Password clrtxtPassword
Ivan Kalik Kalik Informatika ISP
Hmmmm. I advanced and before of reading your answer I added:
checkItem User-Password userPassword
replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
end of snip
It worked! Anywat Is that right?
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2008/4/29 Ivan Kalik <tnt@kalik.net>:
That probably won't work in 2.0. Mapping to Cleartext-Password will.
I am using 2.0.2 :)
Ivan Kalik Kalik Informatika ISP
Dana 29/4/2008, "Sergio Belkin" <sebelk@gmail.com> piše:
2008/4/29 Ivan Kalik <tnt@kalik.net>:
You need to add the entry for Cleartext-Password. Something like:
checkItem Cleartext-Password clrtxtPassword
Ivan Kalik Kalik Informatika ISP
Hmmmm. I advanced and before of reading your answer I added:
checkItem User-Password userPassword
replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
end of snip
It worked! Anywat Is that right?
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
participants (4)
-
Arran Cudbard-Bell -
Ivan Kalik -
Phil Mayers -
Sergio Belkin