Problems authenticating and assigning DHCP addresses
I am running Freeradius-1.0.4 from source. Radius is accessed by XP requesting through a Cisco AP. I am running PEAP (MS-CHAP-V2) w/ SQL. My first question is: How do I tie all of this together with a DHCPd server, so that they authenticated clients can be assigned an IP address. I am using VLAN tunnel attributes so that, when DHCP support /is/ implemented, I can assign different IP addresses with different access privileges. How can I implement a DHCPd server into my configuration? Second question: How can I authenticate against a Crypt-Password, in SQL? I am able to receive an Access-Accept when using a clear text password (Attribute=Password), through XP. I receive: rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Login incorrect: [johnk/<no User-Password attribute>] (from client Aironet1100 port 318 cli 000e.35b5.eb8f) Delaying request 9 for 1 seconds Finished request 9 Going to the next request when using Crypt-Password. However, Crypt-Password works fine when testing with radtest. Sincerely, --johnk
On Saturday 09 July 2005 16:45, jck-freeradius@southwestern.edu wrote:
My first question is:
How do I tie all of this together with a DHCPd server, so that they authenticated clients can be assigned an IP address. I am using VLAN tunnel attributes so that, when DHCP support /is/ implemented, I can assign different IP addresses with different access privileges.
How can I implement a DHCPd server into my configuration?
Since you are using VLANs and want different IP ranges for different access privileges, I would suggest you use Q-Trunks if your network equipment permits. Build a DHCP scope for each VLAN address range, then assign the gateway and helper address to each virtual interface of the trunks on your router. This has nothing to do with RADIUS and should be covered in your router, switch and access point manuals. Zoltan Ori
Zoltan, On Sat, Jul 09, 2005 at 06:21:37PM -0400, Zoltan A. Ori wrote:
On Saturday 09 July 2005 16:45, jck-freeradius@southwestern.edu wrote:
My first question is:
How do I tie all of this together with a DHCPd server, so that they authenticated clients can be assigned an IP address. I am using VLAN tunnel attributes so that, when DHCP support /is/ implemented, I can assign different IP addresses with different access privileges.
How can I implement a DHCPd server into my configuration?
Since you are using VLANs and want different IP ranges for different access privileges, I would suggest you use Q-Trunks if your network equipment
We currently do dot-Q trunking of VLANS, and my testing AP has been setup to support the configuration. Let me know if you are referring to something else.
permits. Build a DHCP scope for each VLAN address range, then assign the
By scope, yes, we have a ISC DHCPd server setup to give out DHCP IP addresses, based on VLAN DHCP request.
gateway and helper address to each virtual interface of the trunks on your router. This has nothing to do with RADIUS and should be covered in your router, switch and access point manuals.
I was under the impression that if my TCP/IP stach was setup for DHCP, and I received an Access-Accept packet from FreeRadius, that my supplicant would go out and request an IP address. Is this not correct? It is not working for me. In addition, I also am wondering why I can only use "Attribute=Password" for successful authentication, and not "Attribute=Crypt-Password". Crypt-Password works fine when tested through radtest.
Zoltan Ori
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--johnk
On Saturday 09 July 2005 18:36, jck-freeradius@southwestern.edu wrote:
We currently do dot-Q trunking of VLANS, and my testing AP has been setup to support the configuration. Let me know if you are referring to something else.
That is what I meant.
I was under the impression that if my TCP/IP stach was setup for DHCP, and I received an Access-Accept packet from FreeRadius, that my supplicant would go out and request an IP address. Is this not correct? It is not working for me.
It should work that way. Is the DHCP request getting relayed properly? tcpdump or Ethereal will tell you.
In addition, I also am wondering why I can only use "Attribute=Password" for successful authentication, and not "Attribute=Crypt-Password". Crypt-Password works fine when tested through radtest.
As far as I know, PEAP doesn't support crypt passwords. Try TTLS. Zoltan ori
On Sat, Jul 09, 2005 at 07:01:10PM -0400, Zoltan A. Ori wrote:
On Saturday 09 July 2005 18:36, jck-freeradius@southwestern.edu wrote:
We currently do dot-Q trunking of VLANS, and my testing AP has been setup to support the configuration. Let me know if you are referring to something else.
That is what I meant.
I was under the impression that if my TCP/IP stach was setup for DHCP, and I received an Access-Accept packet from FreeRadius, that my supplicant would go out and request an IP address. Is this not correct? It is not working for me.
It should work that way. Is the DHCP request getting relayed properly? tcpdump or Ethereal will tell you.
In addition, I also am wondering why I can only use "Attribute=Password" for successful authentication, and not "Attribute=Crypt-Password". Crypt-Password works fine when tested through radtest.
As far as I know, PEAP doesn't support crypt passwords. Try TTLS.
My problem with TTLS, is that for what I can tell, Microsoft has no native support for TTLS. Only PEAP. If someone can tell me of another method for doing a TLS tunnel, with no client certificate neeed, and use Crypt passwords, I would be very happy!
Zoltan ori
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--johnk
jck-freeradius@southwestern.edu wrote:
My problem with TTLS, is that for what I can tell, Microsoft has no native support for TTLS. Only PEAP.
If someone can tell me of another method for doing a TLS tunnel, with no client certificate neeed, and use Crypt passwords, I would be very happy!
That is correct. The only way to use Crypted passwords is using TTLS with PAP authentication in the inner tunnel. PEAP will not do it. Unless you have NT/LMv2 hashes in your database or clear text passwords. This is how you set up different clients to use TTLS+PAP http://vuksan.com/linux/dot1x/wpa-client-config.html Vladimir
jck-freeradius@southwestern.edu wrote:
My first question is:
How do I tie all of this together with a DHCPd server, so that they authenticated clients can be assigned an IP address.
That will happen automatically.
How can I implement a DHCPd server into my configuration?
Configure the DHCPd server to assign IP addresses.
Second question:
How can I authenticate against a Crypt-Password, in SQL?
For PEAP, it's impossible. Alan DeKok.
participants (4)
-
Alan DeKok -
jck-freeradius@southwestern.edu -
Vladimir Vuksan -
Zoltan A. Ori