Hi, is it possible use in LDAP encrypted passwords and EAP/TTLS? Thanks in advance! -- -- Sergio Belkin -
Yes, with EAP-TTLS/PAP. Ivan Kalik Kalik Informatika ISP Dana 12/10/2007, "Sergio Belkin" <sebelk@gmail.com> piše:
Hi, is it possible use in LDAP encrypted passwords and EAP/TTLS? Thanks in advance! -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2007/10/12, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Yes, with EAP-TTLS/PAP.
Ivan Kalik Kalik Informatika ISP
Dana 12/10/2007, "Sergio Belkin" <sebelk@gmail.com> piše:
Hi, is it possible use in LDAP encrypted passwords and EAP/TTLS? Thanks in advance! -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But PAP can be used by Windows clients? -- -- Sergio Belkin -
http://www.securew2.com/ Ivan Kalik Kalik Informatika ISP Dana 12/10/2007, "Sergio Belkin" <sebelk@gmail.com> piše:
2007/10/12, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Yes, with EAP-TTLS/PAP.
Ivan Kalik Kalik Informatika ISP
Dana 12/10/2007, "Sergio Belkin" <sebelk@gmail.com> pi�e:
Hi, is it possible use in LDAP encrypted passwords and EAP/TTLS? Thanks in advance! -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But PAP can be used by Windows clients? -- -- Sergio Belkin -
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2007/10/12, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Ivan Kalik Kalik Informatika ISP
Thanks Ivan, Now I have a radius server working with EAP/TTLS, and windows and securew2 worked fine using PAP. It's a bit strange that first try as anonymous and password fails and then can access successfully. Is that right? LDAP module section in radiusd.conf is as follows: ldap { server = "ldap.cadorna.edu" port = 636 identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu" password = pepe basedn = "ou=people,dc=palermo,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_debug = 0x0028 tls_cacertfile = /etc/raddb/cacert.pem tls_randfile = /dev/urandom tls_require_cert = "allow" access_attr = "radiusAllowed" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } Debug messages: But I still have some doubts about way of acces: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 10.30.213.5 IP address [10.30.213.5] main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded LDAP ldap: server = "ldap.cadorna.edu" ldap: port = 636 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "/etc/raddb/cacert.pem" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "/dev/urandom" ldap: tls_require_cert = "allow" ldap: password = "pepe" ldap: basedn = "ou=people,dc=cadorna,dc=edu" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "radiusAllowed" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 40 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x5555557a2f30 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/pki/tls/certs/spectrum.xp-key.pem" tls: certificate_file = "/etc/pki/tls/certs/spectrum.xp-crt.pem" tls: CA_file = "/etc/pki/tls/certs/cacert.pem" tls: private_key_password = "(null)" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 10.30.213.5:1812 Listening on accounting 10.30.213.5:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.30.1.151:1030, id=205, length=108 User-Name = "anonymous" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0201000e01616e6f6e796d6f7573 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x432e769202cc89631a7cd56a55bb7b54 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=people,dc=cadorna,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.cadorna.edu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/cacert.pem rlm_ldap: setting TLS Key File to /dev/urandom rlm_ldap: bind as cn=freeradius,ou=applications,dc=cadorna,dc=edu/pepe to ldap.cadorna.edu:636 rlm_ldap: waiting for bind result ... request done: ld 0x5555557c3e10 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with filter (uid=anonymous) request done: ld 0x5555557c3e10 msgid 2 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 205 to 10.30.1.151 port 1030 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5dd8cb1825cff1c7098ac6cc4db7c6c6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=206, length=172 User-Name = "anonymous" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0202003c158000000032160301002d01000029030174361ae958f7d25520677c8c584e111840583827d0ea19a9208633a82e134bc0000002000a0100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x5dd8cb1825cff1c7098ac6cc4db7c6c6 Message-Authenticator = 0x78081c16ef12594dc5b37e53ce7052db Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_eap: EAP packet type response id 2 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=people,dc=cadorna,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with filter (uid=anonymous) request done: ld 0x5555557c3e10 msgid 3 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0852], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 206 to 10.30.1.151 port 1030 EAP-Message = 0x0103040a15c0000008af160301004a020000460301471501251e530c8f3770eeb65853642f48d400690040bd7ac6a262397753378e207b75a2b785ec125aa8bc12892656fd51d00df9fbcc6a12cc5e607d0a0b52f6e7000a0016030108520b00084e00084b0003b9308203b53082029da003020102020111300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06 EAP-Message = 0x035504031315436572746966696361746520417574686f72697479301e170d3037313031313233333633305a170d3131313031303233333633305a308193310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f312d302b060355040b1324446570617274616d656e746f20646520436f6d756e69636163696f6e6573202d20737032311d301b06035504031314737065637472756d2e70616c65726d6f2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100e04585aa76fe88e53fe2e5 EAP-Message = 0xfd4e4c9732987996ca13093a1173f9760319f9bf6b1bbad6702284056432c8b9409e28789a2d91e8027baa1fadcf4951be8b3d1932d6a125dd50d18a57ea8c909eb93b83f73404193b6ebb16e7abcc49ec7b3d2546f65e41d895631ab82cbf09c6744c9d6e01064fd1548487e70baf1179f387430d7f193460f4bf55e9c6cb2100202382b2c0c10929e125f8c32bd5cd0d26c3d908688cb747475263370195f56c256bad4ee232fb9db6bf07966c6ad88f5bfa07143c5a626fde432f3582bdc50164e1b216e902efb947be80f5d64cf05e33e1ba76c3734bd4a1586895b5575ac4ea9f87384629547e75ad7c119c66abe7a07f8c7d0203010001a31730 EAP-Message = 0x1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100c056381386ae47210e7781b5f29f6e345d3cf3170d7b56f207c5120ad7a0a3f50d8d5089b1b670e12571f30f6035435027ba8a6c0f560c4ed67436b09470a25f6c6ed5f6183671143d0119cdbd58f1564ff62d829557d30db8e3e629cde53dc086b2b6e6cbc199f38653349b1abd884554bde148d0b3c6972f3910a3d9a6004b4b85b5c2bea77f8939d3518d718d5a1290ca6c03f3ce5d98906e243f4cc698360b5d5f3015054f0dc7f0cb42475760038477a75d03c048f80b4f50b554499749833660883b818630ae143a9e0ac935e5e3d594 EAP-Message = 0xf97b881df18c0b1712e00eef6a91fa1582e7f8eb93fa Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbc6e316c0916a2c72bb8084c1c43fb36 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=207, length=118 User-Name = "anonymous" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020300061500 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xbc6e316c0916a2c72bb8084c1c43fb36 Message-Authenticator = 0x6d88059e471bddecd25b24c506427690 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=people,dc=cadorna,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with filter (uid=anonymous) request done: ld 0x5555557c3e10 msgid 4 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 2 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 207 to 10.30.1.151 port 1030 EAP-Message = 0x0104040a15c0000008af4ee3f701692818d33744866b15afbc8774a1ed07b5b43200048c3082048830820370a003020102020101300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f72697479301e170d3035313230313134353835305a170d3135313132393134353835305a30818e310b30090603 EAP-Message = 0x55040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100eb878d17120d3af300ab78838b32fde160463d4ff2693c5ebc59123788f0bfe9d90aaa34a22bab04b8e8f294176215b97f2edf6c686434ad87acccd5ecf7edec871e8449a876cbfe531c5158385aa9d30685723c EAP-Message = 0xf3273b5d2d8cde4ca62b0c07c3bdd54be96f2f68074454281c527079276d3388dcdb097e730c419f58d24eaca71fd8c5d8b6fe023154b9bdb920dc6ac013a57dc9bf94b99250b47bc32a07afbf2a2eddd37bdb8f0421f7df33eb999dce70784d065458b5e590f1c285837464709c6af7e3ae092dd38372420e780d8567699d534897f298fcde4309a2f66afee6dce842a69c31f1ca580454665eae87a04881b0bbb009928b30ef374fa534e50203010001a381ee3081eb301d0603551d0e04160414fd77533bb6a66d1e3b48bfb5d21501d829ddf4693081bb0603551d230481b33081b08014fd77533bb6a66d1e3b48bfb5d21501d829ddf469a18194 EAP-Message = 0xa4819130818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f72697479820101300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010066656bbb8617d0aa046d938fb367586fb47ba22a4c54ccfc21d3bdc13ae39df3cd89029a0b5bcacb39977e824d94ba8c61296ce2e38d91e22766ce9ce6d988580251e19e EAP-Message = 0xf037cea75d86cb016c26f8d51bb33fbe8f07daf1f9fc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd11701cb88ee7e968ed572be6218ea0d Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=208, length=118 User-Name = "anonymous" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020400061500 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xd11701cb88ee7e968ed572be6218ea0d Message-Authenticator = 0x530bf822a6c0e96e9260a0a221d20204 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=people,dc=cadorna,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with filter (uid=anonymous) request done: ld 0x5555557c3e10 msgid 5 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 208 to 10.30.1.151 port 1030 EAP-Message = 0x010500b91580000008af78833f2254362517e85e9dcd2c4362773223204e9c66dff65f08f319c5c9a2bb6a6de09b6534fd5df1fc14ba8dc996930e5413bbb2d4cae1c5aa68abe3785bec762c0c47246c2a89066512727dfc1c8b96fb0005841d05009db8e084a3931d2046b4d8047d2c182c9b0a5b5f340ee1b4331ec0ece5185dc33e4f100ec0a0a7e6e2bad313ea717fa4d4ed2e913575014832f80d0298e5c662015b0729eabd6220c0082326acb516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0c5dcc515069eabe0685e09b9153c59f Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=209, length=442 User-Name = "anonymous" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0205014815800000013e16030101061000010201008894a872f7066bcdf30d93cd5d96d9c8354815a83622ddb708d5dedd33a883c1dbda39363b72bf305e359a6642baf55d82ad010120655456c06fbca4ac48e83c08dcf02f953c2decb740c5c602087b894ad8ca67d768dd0abd234060c575942d8e2643628e5a38bd4672ba5d3f4fff30aff6deba50a4b626d42bd534d5497854c84b6891139c15f0041fbea41e28161184ff4bba34baa99b9da23c29a6edcd753b0ca439098ffe06c9037b1be29650bfc846d1db107034d516fc206f5dc6aa876636123ee6d945f9e318061089ccc195fda70b58bbf07ea4b6a10f0227424d7bc880ee4111e75bcf EAP-Message = 0x74d784c02643d63a866b9c7a0edb103c526bbd8630be47ab140301000101160301002813603db1a3d6d6591c0cc76e948eb0a0a5b2fc42740c6cf0f9dbf9c6fb0233c06518ead9e3e9426a Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x0c5dcc515069eabe0685e09b9153c59f Message-Authenticator = 0xb25f21fae175940ad726f5208d26c62f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=people,dc=cadorna,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with filter (uid=anonymous) request done: ld 0x5555557c3e10 msgid 6 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 209 to 10.30.1.151 port 1030 EAP-Message = 0x0106003d15800000003314030100010116030100287c4109666ce0d97286c430e838102c1f8ba072e170d34dfecc9a9a7ea641126fd7b465467ce35326 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99039ab9ca15aabf0e212562acf87793 Finished request 4 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=210, length=183 User-Name = "anonymous" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0206004715800000003d17030100384acba6c28662f7879facf05e15e63ac54d47d41ae634573ec2b501d26beb339b35a25fecd56f21b6edc005ba6e2b50089848df925ad21f37 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x99039ab9ca15aabf0e212562acf87793 Message-Authenticator = 0xed3e3e688d2e6a9697d399a851a050a7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: EAP packet type response id 6 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=people,dc=cadorna,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with filter (uid=anonymous) request done: ld 0x5555557c3e10 msgid 7 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 5 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for prueba radius_xlat: '(uid=prueba)' radius_xlat: 'ou=people,dc=cadorna,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with filter (uid=prueba) request done: ld 0x5555557c3e10 msgid 8 rlm_ldap: checking if remote access for prueba is allowed by radiusAllowed rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user prueba authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns ok) for request 5 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 5 rlm_ldap: - authenticate rlm_ldap: login attempt by "prueba" with password "probando" rlm_ldap: user DN: uid=prueba,ou=people,dc=cadorna,dc=edu rlm_ldap: (re)connect to ldap.cadorna.edu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/cacert.pem rlm_ldap: setting TLS Key File to /dev/urandom rlm_ldap: bind as uid=prueba,ou=people,dc=cadorna,dc=edu/probando to ldap.cadorna.edu:636 rlm_ldap: waiting for bind result ... request done: ld 0x5555558851e0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: user prueba authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 5 modcall: leaving group LDAP (returns ok) for request 5 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 5 modcall: leaving group authenticate (returns ok) for request 5 Sending Access-Accept of id 210 to 10.30.1.151 port 1030 MS-MPPE-Recv-Key = 0xc7f9060ca81ffa0fcf19e0de87df3b444b6b325a73bcf2320f4192125955fcc1 MS-MPPE-Send-Key = 0x6f193dd711b2d3087f74475ca81316bb8e58f2078867b0218811ec4db77c3973 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 5 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 205 with timestamp 47150124 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 206 with timestamp 47150125 Cleaning up request 2 ID 207 with timestamp 47150125 Cleaning up request 3 ID 208 with timestamp 47150125 Cleaning up request 4 ID 209 with timestamp 47150125 Cleaning up request 5 ID 210 with timestamp 47150125 Nothing to do. Sleeping until we see a request.
Dana 12/10/2007, "Sergio Belkin" <sebelk@gmail.com> piše:
2007/10/12, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Yes, with EAP-TTLS/PAP.
Ivan Kalik Kalik Informatika ISP
Dana 12/10/2007, "Sergio Belkin" <sebelk@gmail.com> pi�e:
Hi, is it possible use in LDAP encrypted passwords and EAP/TTLS? Thanks in advance! -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But PAP can be used by Windows clients? -- -- Sergio Belkin -
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Sergio Belkin -
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sergio Belkin wrote:
2007/10/12, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Ivan Kalik Kalik Informatika ISP
Thanks Ivan,
Now I have a radius server working with EAP/TTLS, and windows and securew2 worked fine using PAP. It's a bit strange that first try as anonymous and password fails and then can access successfully. Is that right?
"anonymous" is the user outside the TLS tunnel. The real authentication is done inside the tunnel, outside prying eyes. "anonymous" is to keep user identity... anonymous. - -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHFQi79Y3/iTTCEDkRAoJ7AKClKubZ1XomWSYCBN9jYzf2bEso4gCfT4id sN54QMdhCCYadnxHtgKqiJo= =JazI -----END PGP SIGNATURE-----
participants (3)
-
Martin Gadbois -
Sergio Belkin -
tnt@kalik.co.yu