PEAP authentication with freerad ?
Hello, I would like to use PEAP to perfome authentication of wlan users , I choose PEAP because Users and Passwords are in an LDAP Server (OPEN-LDAP). According to me PEAP works like this : Phase 1 :: TLS handshake the server authenticate to the client as a trusted radius serveur and a cipher tunel is created. Phase 2 :: Login + Password + Domain hashed with MD5 are send to the Radius Server which ask LDAP server for password and login. acording to the doc file : realm_eap , freeradius supports only eap-tls (authentication based only on certificates (client + server ) lead and eap-MD5 ( according to me even if PEAP use MD5 hash , the EAP-MD5 is different with no mutual autenthication and no TLS handshake ) I dont want to use a full certifcate based solution like EAP-TLS or a authentification with no ciphered tunel like with EAP-MD5 Anyone could help me for using PEAP (or at least authentication with the two phases described upper) with freeradius ? thank you. Ps : sorry for english mistakes :)
I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2. In this case, MD5 is not involved anywhere. The passwords are hashed differently. As such, you must either have an NT hashed password (which is actually a unicode-encoded MD4 hash of the password) or a cleartext password in your directory. --Mike On Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote:
Hello,
I would like to use PEAP to perfome authentication of wlan users , I choose PEAP because Users and Passwords are in an LDAP Server (OPEN-LDAP). According to me PEAP works like this :
Phase 1 :: TLS handshake the server authenticate to the client as a trusted radius serveur and a cipher tunel is created. Phase 2 :: Login + Password + Domain hashed with MD5 are send to the Radius Server which ask LDAP server for password and login.
acording to the doc file : realm_eap , freeradius supports only eap-tls (authentication based only on certificates (client + server ) lead and eap-MD5 ( according to me even if PEAP use MD5 hash , the EAP-MD5 is different with no mutual autenthication and no TLS handshake )
I dont want to use a full certifcate based solution like EAP-TLS or a authentification with no ciphered tunel like with EAP-MD5
Anyone could help me for using PEAP (or at least authentication with the two phases described upper) with freeradius ?
thank you.
Ps : sorry for english mistakes :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Yes i use PEAP/MsChapv2 , and password in OpenLDAP are stocked in clear mode , but there is a really strange eror while I try an autothentication via EAP-PEAP (MSCHAPv2) here is the output of Freeradius : lm_ldap: checking if remote access for test is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. Login incorrect: [test/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE I dont know if that error is due to an impossible comporason beetwen hashed password in mschap and clear openldap password or if there is problems fields NT/LM-Password. 2006/6/6, Michael Griego <mgriego@utdallas.edu>:
I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2. In this case, MD5 is not involved anywhere. The passwords are hashed differently. As such, you must either have an NT hashed password (which is actually a unicode-encoded MD4 hash of the password) or a cleartext password in your directory.
--Mike
On Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote:
Hello,
I would like to use PEAP to perfome authentication of wlan users , I choose PEAP because Users and Passwords are in an LDAP Server (OPEN-LDAP). According to me PEAP works like this :
Phase 1 :: TLS handshake the server authenticate to the client as a trusted radius serveur and a cipher tunel is created. Phase 2 :: Login + Password + Domain hashed with MD5 are send to the Radius Server which ask LDAP server for password and login.
acording to the doc file : realm_eap , freeradius supports only eap-tls (authentication based only on certificates (client + server ) lead and eap-MD5 ( according to me even if PEAP use MD5 hash , the EAP-MD5 is different with no mutual autenthication and no TLS handshake )
I dont want to use a full certifcate based solution like EAP-TLS or a authentification with no ciphered tunel like with EAP-MD5
Anyone could help me for using PEAP (or at least authentication with the two phases described upper) with freeradius ?
thank you.
Ps : sorry for english mistakes :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"thomas hahusseau" <thomas.hahusseau@gmail.com> wrote:
modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password.
This means that the server has no clear-text password. i.e. it wasn't retrieved from LDAP. See the rest of the debug log to see what was retrieved from LDAP. Alan DeKok.
I dont understand why it doesn't work , Password are in clear in LDAP base , the only thing that i want is freeradius recieve login and password form an PEAP (Mschapv2) authentification request and compare it from password and login stocked in LDAP database if it's matched so allow the access. here is my conf file "users" DEFAULT Auth-Type = EAP, EAP-Type == EAP-PEAP DEFAULT Auth-Type = LDAP there to different situation , in both of them authentication section about LDAP and EAP are uncommented. ++++First : If I uncomment "eap" in authorize section of radiusd.conf : # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. eap I've got that kind of error : ----------------------------------------------- lm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Login incorrect: [test/<no User-Password attribute>] (from client Access_Point_3COM port 1 cli 004096a1ce69) Delaying request 7 for 1 seconds Finished request 7 ------------------------------------------ Authorize part with ldap works well but not the authentification one with eap (the tls handshake works well) ++++Second : If I comment "eap" in authorize section of radiusd.conf I've got a long output attached in that mail. As a conclusion if I edit the users config file like that : I hope you could help I'm blocked on that problem for 2 weeks and the end of my training period is close and I would like to finish it before :). Thank you 2006/6/6, Alan DeKok <aland@nitros9.org>:
"thomas hahusseau" <thomas.hahusseau@gmail.com> wrote:
modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password.
This means that the server has no clear-text password. i.e. it wasn't retrieved from LDAP. See the rest of the debug log to see what was retrieved from LDAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"thomas hahusseau" <thomas.hahusseau@gmail.com> wrote:
++++First : If I uncomment "eap" in authorize section of radiusd.conf :
Which you MUST do, or EAP doesn't work.
rlm_eap_peap: Had sent TLV failure, rejecting.
<sigh> Why are you insisting on looking at only a portion of the debug output? Look PREVIOUSLY in the output to see what's going wrong, and why. And if you see the same "No User-Password" message, please don't post that.
++++Second : If I comment "eap" in authorize section of radiusd.conf
It doesn't work.
I hope you could help I'm blocked on that problem for 2 weeks and the end of my training period is close and I would like to finish it before :).
I really don't understand. 1) get CHAP working with LDAP, where the clear-text passwords are read from LDAP If that doesn't work, it won't work for EAP. 2) Put a different user & clear-text password in "users". Get EAP working. 3) Try EAP with the username from (1). If it doesn't work, I will be EXTREMELY surprised. Alan DeKok.
Does free radius support PEAP/LEAP 802.1x authentication? How can i configure it? ----- Original Message ----- From: "Michael Griego" <mgriego@utdallas.edu> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, June 06, 2006 7:52 PM Subject: Re: PEAP authentication with freerad ?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Does free radius support PEAP/LEAP 802.1x authentication?
yes, of course it does.
How can i configure it?
I'd start by reading the documentation. Then you'd want to plan on how to implement it. make sure the required parts of, eg eap.conf are configured and make sure that the required authorization database or files are accessible. for example, bind the system into active directory and use ntlm_auth for most painless way of dealing with PEAP alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
darshak -
Michael Griego -
thomas hahusseau