Message: 3 Date: Thu, 21 Aug 2008 08:36:07 +0200 From: "Martin Schneider" <martincschneider@googlemail.com> Subject: Re: EAP-TNC supported? To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <690347540808202336k5ce8ffd5jc0c3efea54b1835d@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hi
2008/8/20 Alan DeKok <aland@deployingradius.com>:
Martin Schneider wrote:
- I read in wikipedia, that the spring 2008 release of FreeRadius has "experimental EAP-TNC" support. I couldn't find any information on the FreeRadius homepage or wiki, that this information is correct. Has FreeRadius EAP-TNC support? And "how experimental" is the EAP-TNC support? It's very experimental. Some people have gotten it to work, but I don't think it's ready for production use.
What a pity!
Does anybody know about a patch or something for FreeRadius that adds more stable EAP-TNC processing? I heard about a patch from FH Hannover (http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I don't know how good this one works. Did maybe anybody of you guys play with that patch? Yes, it is very experimental. We have done some refactoring the last weeks but the new version of the EAP-TNC-Patch is currently not in the FreeRADIUS sources. You can download it from http://tnc.inform.fh-hannover.de. We will modify some further aspects soon (such as removing the dynamic loading of NAA-TNCS.so at runtime).
- In case FreeRadius supports EAP-TNC, is it possible to run EAP-TNC "inside" a EAP-TTLS tunnel? EAP-TTLS as outer method and EAP-TNC as inner method? No. EAP-TNC is designed to be run as an authorization method *after* the user has been authenticated. It *cannot* be run all by itself inside of a TTLS tunnel.
You can run it inside of the TTLS tunnel after another EAP method has been executed. You may have to edit the source code to get this to work.
You can do EAP-TNC inside EAP-TTLS without modifying the source. I tested it with the latest development version of wpa_supplicant. But you will have to modify the source if you want to to EAP-TNC inside EAP-TTLS _after_ another EAP-method (such as MD5).
Ok, thanks for clarifying this point! I really mixed this one up.
I read in the EAP-TTLS draft, that you can perform mutual authentication of server AND client using EAP-TTLS. (Client also needs a Certificate...). So theoretically you should be able to run EAP-TNC directly after EAP-TTLS in the TLS tunnel without any other user authenticating EAP-method?
Yes. Regards Ingo
Regards Martin
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 4 Date: Thu, 21 Aug 2008 08:42:16 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: EAP-TNC supported? To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <48AD0E48.1040803@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Martin Schneider wrote:
Does anybody know about a patch or something for FreeRadius that adds more stable EAP-TNC processing? I heard about a patch from FH Hannover (http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I don't know how good this one works. Did maybe anybody of you guys play with that patch?
The EAP-TNC code in FreeRADIUS *is* the FH Hannover code. There's just *more* work that has to be done to make it ready for a production environment.
I read in the EAP-TTLS draft, that you can perform mutual authentication of server AND client using EAP-TTLS. (Client also needs a Certificate...). So theoretically you should be able to run EAP-TNC directly after EAP-TTLS in the TLS tunnel without any other user authenticating EAP-method?
Perhaps. Check with the TNC specifications to see if this is permitted.
Alan DeKok.
------------------------------
Message: 5 Date: Thu, 21 Aug 2008 09:31:59 +0100 From: Phil Mayers <p.mayers@imperial.ac.uk> Subject: Re: FreeRadius 2.0.5 AD PEAP To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20080821083159.GA27802@wildfire.net.ic.ac.uk> Content-Type: text/plain; charset=us-ascii; format=flowed
Perhaps try it with a Cleartext-Password in the "users" file. i.e. *Without* using ntlm_auth. That works for me, including with eapol_test, and TTLS/EAP-MSCHAPv2.
Can you clarify this setup/change to test? I was pretty sure I needed to use ntlm_auth to auth against AD to test mschapv2
Put a test user in the "users" file:
test Cleartest-Password := "blah", MS-CHAP-Use-NTLM-Auth := 0
If that still fails, then there's something wrong with the system that breaks the server in 2.0.5.
Running Samba 3.2.0 on Fedora 9
Your problem is very odd. I'm using 2.0.5 on RHEL5 with ntlm_auth and it's working fine.
The only time I've seen eapol_test fail with "mismatch" is when I've failed to strip the DOMAIN\ or @DOMAIN.COM from usernames with realms and this has confused the key hashing - but your usernames are unadorned.
Perhaps the Samba version in F9 has problems? What OS and samba version is your (working) 1.1.7 server running?
FYI: Unknown network block for the CA_CERT with regards to the eapol test config file What does that mean? Within the config you provided to for eapol_test at the bottom is a ca_cert declaration that errors out when uncommented
Anyone using FC9 with freeradius 2.0.5 against AD working that I can use to compare?
Thanks much appreciated
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 6 Date: Thu, 21 Aug 2008 10:53:17 +0200 From: Thomas Buchberger <buchberger@nefonline.de> Subject: Re: Auth-Type := Accept - CHAP problems To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <48AD2CFD.3040206@nefonline.de> Content-Type: text/plain; charset=ISO-8859-1
Hi Alan and Ivan,
Alan DeKok wrote:
Config looks like this:
DEFAULT Auth-Type := Accept
This completely bypasses any password checks.
ERX-Virtual-Router-Name = "vpn:XXX", ERX-Egress-Policy-Name = "XXX", ERX-Local-Loopback-Interface = "loopback 255", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes
Test100 Password = "Test100"
Use:
Test100 Cleartext-Password := "Test100"
OK - now I understand... with Cleartext-Password PAP and CHAP behave the same way... For us the wrong way :-) Is there a possibility so solve it with freeradius? We want to Accept all Users but give "authenticated" (correct username and password) users individual attributes and "non authenticated" users (wrong username and / or password) different attributes but no "Login incorrect".
Hi Ingo and others
Does anybody know about a patch or something for FreeRadius that adds more stable EAP-TNC processing? I heard about a patch from FH Hannover (http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I don't know how good this one works. Did maybe anybody of you guys play with that patch? Yes, it is very experimental. We have done some refactoring the last weeks but the new version of the EAP-TNC-Patch is currently not in the FreeRADIUS sources. You can download it from http://tnc.inform.fh-hannover.de. We will modify some further aspects soon (such as removing the dynamic loading of NAA-TNCS.so at runtime).
Great! Thanks for that hint. I'll have a look at this soon. So you'll want to integrate the TNC Server directly into the EAP Module, or to be more precise, you'll add a "TNC Type Module" to the EAP module?
You can do EAP-TNC inside EAP-TTLS without modifying the source. I tested it with the latest development version of wpa_supplicant. But you will have to modify the source if you want to to EAP-TNC inside EAP-TTLS _after_ another EAP-method (such as MD5).
That's good news for me! So basically, the "only thing I need to do" when I want to perfom EAP-TNC is to create a IMC/IMV pair and integrate the IMC to wpa_supplicant and the IMV to Free Radius? Regards Martin
participants (2)
-
Ingo Bente -
Martin Schneider