Hi, you probably want to set peap as your default EAP type in eap.conf to save s couple of packets and a NAK. I don't see the ntlm_auth being called, have you edited the mschap module? The host name is rather short....are you sure this host is bound into an AD? alan
Sorry, I was not clean with my setup information. We do not have a domain, these are stand alone windows 7 devices. We also have some tablets and some linux boxes. Concern right now is the Windows 7 devices. I didn't know that you cannot do machine authentication without a domain.... User authentication in my environment is just not an option because all of the devices need to have a connection to the network at all times even if nobody is logged in. Should I be using PEAP/EAP-TLS instead? If so do you know of any good setup documentation for that? Dan. On Fri, Dec 7, 2012 at 11:42 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
you probably want to set peap as your default EAP type in eap.conf to save s couple of packets and a NAK.
I don't see the ntlm_auth being called, have you edited the mschap module?
The host name is rather short....are you sure this host is bound into an AD?
alan
On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote:
Sorry, I was not clean with my setup information. We do not have a domain, these are stand alone windows 7 devices. We also have some tablets and some linux boxes. Concern right now is the Windows 7 devices. I didn't know that you cannot do machine authentication without a domain....
You can, but you'll need to handle the certificates on the hosts manually. That's usually such a pain that the only real solution is to use AD. If you've got a small number of devices, or can write some other automated method of deploying certs, then it can be possible to handle. What you /can't/ do is both User auth (mschap - username + password) *and* Computer auth (certificates - EAP-TLS) in the same connection, as the default Windows supplicant, like most, doesn't support client certificates with PEAP (and user auth - mschap - needs to be inside PEAP).
User authentication in my environment is just not an option because all of the devices need to have a connection to the network at all times even if nobody is logged in. Should I be using PEAP/EAP-TLS instead?
There are no good reasons for doing PEAP/EAP-TLS unless you want to use SoH. PEAP adds overhead to the auth, with no added benefit.
If so do you know of any good setup documentation for that?
I wrote up how to do PEAP/EAP-TLS a while back - you can find it here: http://q.asd.me.uk/pet That said - your connection is trying to do PEAP, so you've configured your client for either 'certifiates' or mschap inside PEAP. I forget the exact options in the interface, but you need to choose 'certificates' rather than 'PEAP', then select the client certificate that you want to auth with - which will be one that is signed by the same CA that the CA_file option in your FreeRADIUS eap.conf file points to. Make sure it's set to 'Computer' auth, not 'User' or 'User + Computer'. In theory, you'll then find that it Just Works. But the Windows config interface takes a bit of head scratching to get around until you understand what it's doing under the hood. Cheers Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thank you Matthew for the clarification I could successfully get the windows 7 client to try and make a request (you defiantly need to have the certs imported into exactly the correct spots). But now my debug log says that its failing. This is a default 2.1.12 install with the switch added to the clients.conf file. rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=204, length=180 User-Name = "host/user@example.com" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "9C-AF-CA-F4-40-10" Calling-Station-Id = "64-31-50-7D-72-DE" EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x41f4a411366a244a23e887c859436d0b NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = "GigabitEthernet0/16" NAS-IP-Address = 10.11.200.73 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "example.com" for User-Name = "host/ user@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "host/user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user host/user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = "host/user" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "9C-AF-CA-F4-40-10" Calling-Station-Id = "64-31-50-7D-72-DE" EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = "GigabitEthernet0/16" NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = "host/user" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "9C-AF-CA-F4-40-10" Calling-Station-Id = "64-31-50-7D-72-DE" EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = "GigabitEthernet0/16" NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=231, length=171 User-Name = "host/user" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "9C-AF-CA-F4-40-10" Calling-Station-Id = "64-31-50-7D-72-DE" EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x0d22b2b1d5102149a8c1c731bc6613dd NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = "GigabitEthernet0/16" NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 231 to 127.0.0.1 port 1814 Proxy-State = 0x323034 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=231, length=25 Proxy-State = 0x323034 # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/ user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 204 to 10.11.200.73 port 1645 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 231 with timestamp +14 Cleaning up request 0 ID 204 with timestamp +14 Ready to process requests. On Fri, Dec 7, 2012 at 2:23 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote:
Sorry, I was not clean with my setup information. We do not have a domain, these are stand alone windows 7 devices. We also have some tablets and some linux boxes. Concern right now is the Windows 7 devices. I didn't know that you cannot do machine authentication without a domain....
You can, but you'll need to handle the certificates on the hosts manually. That's usually such a pain that the only real solution is to use AD. If you've got a small number of devices, or can write some other automated method of deploying certs, then it can be possible to handle.
What you /can't/ do is both User auth (mschap - username + password) *and* Computer auth (certificates - EAP-TLS) in the same connection, as the default Windows supplicant, like most, doesn't support client certificates with PEAP (and user auth - mschap - needs to be inside PEAP).
User authentication in my environment is just not an option because all of the devices need to have a connection to the network at all times even if nobody is logged in. Should I be using PEAP/EAP-TLS instead?
There are no good reasons for doing PEAP/EAP-TLS unless you want to use SoH. PEAP adds overhead to the auth, with no added benefit.
If so do you know of any good setup documentation for that?
I wrote up how to do PEAP/EAP-TLS a while back - you can find it here: http://q.asd.me.uk/pet
That said - your connection is trying to do PEAP, so you've configured your client for either 'certifiates' or mschap inside PEAP. I forget the exact options in the interface, but you need to choose 'certificates' rather than 'PEAP', then select the client certificate that you want to auth with - which will be one that is signed by the same CA that the CA_file option in your FreeRADIUS eap.conf file points to. Make sure it's set to 'Computer' auth, not 'User' or 'User + Computer'.
In theory, you'll then find that it Just Works. But the Windows config interface takes a bit of head scratching to get around until you understand what it's doing under the hood.
Cheers
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
[eap] Identity does not match User-Name, setting from EAP Identity.
EAP doesnt like the user-name being played around with....ensure that you 'nostrip' in your proxy.conf for the realm you are handling....or use 'stripped-user-name' for the checks/handlers. alan
Alan, I have added 'nostrip' to the realm example.com and it looks like it has problems with that. Possibly some sort of loop? https://docs.google.com/open?id=0B57E1K2jJi4DZGwzSUtDajdQV2s On Sun, Dec 9, 2012 at 9:58 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
[eap] Identity does not match User-Name, setting from EAP Identity.
EAP doesnt like the user-name being played around with....ensure that you 'nostrip' in your proxy.conf for the realm you are handling....or use 'stripped-user-name' for the checks/handlers.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is my proxy.conf file contents: proxy server { default_fallback = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = testing123 require_message_authenticator = yes response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 max_outstanding = 65536 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover nostrip } realm LOCAL { } On Sun, Dec 9, 2012 at 11:09 AM, Dan Letkeman <danletkeman@gmail.com> wrote:
Alan,
I have added 'nostrip' to the realm example.com and it looks like it has problems with that. Possibly some sort of loop?
https://docs.google.com/open?id=0B57E1K2jJi4DZGwzSUtDajdQV2s
On Sun, Dec 9, 2012 at 9:58 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk>wrote:
Hi,
[eap] Identity does not match User-Name, setting from EAP Identity.
EAP doesnt like the user-name being played around with....ensure that you 'nostrip' in your proxy.conf for the realm you are handling....or use 'stripped-user-name' for the checks/handlers.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED. Modified my proxy.conf file as per another list post. You cannot just add the 'nostrip' option to the realm. You must remove the home_server and home_server_pool, but keep the options from the home_server and put them under the realm. This solves the DOS loop problem. Example proxy.conf: proxy server { default_fallback = no } realm example.com { type = auth ipaddr = 127.0.0.1 port = 1812 secret = testing123 require_message_authenticator = yes response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 max_outstanding = 65536 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } nostrip } realm LOCAL { } On Sun, Dec 9, 2012 at 1:56 PM, Dan Letkeman <danletkeman@gmail.com> wrote:
Here is my proxy.conf file contents:
proxy server {
default_fallback = no
}
home_server localhost { type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
coa { irt = 2
mrt = 16
mrc = 5
mrd = 30 } }
home_server_pool my_auth_failover { type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
nostrip
}
realm LOCAL { }
On Sun, Dec 9, 2012 at 11:09 AM, Dan Letkeman <danletkeman@gmail.com>wrote:
Alan,
I have added 'nostrip' to the realm example.com and it looks like it has problems with that. Possibly some sort of loop?
https://docs.google.com/open?id=0B57E1K2jJi4DZGwzSUtDajdQV2s
On Sun, Dec 9, 2012 at 9:58 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk>wrote:
Hi,
[eap] Identity does not match User-Name, setting from EAP Identity.
EAP doesnt like the user-name being played around with....ensure that you 'nostrip' in your proxy.conf for the realm you are handling....or use 'stripped-user-name' for the checks/handlers.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
SOLVED. Modified my proxy.conf file as per another list post. You cannot just add the 'nostrip' option to the realm. You must remove the home_server and home_server_pool, but keep the options from the home_server and put them under the realm.
or do as I said in my post tonight. you can keep the default home_server values etc then...and your realm staements stay tidy. if you define auth_pools etc for your homesever then things get loopy (I'd have replied earlier but you pasted your test onto google docs and my phone didnt have decent enough connectivity at the time to go web fetching) alan
On 12/09/2012 08:18 PM, Dan Letkeman wrote:
SOLVED. Modified my proxy.conf file as per another list post. You cannot just add the 'nostrip' option to the realm. You must remove the home_server and home_server_pool, but keep the options from the home_server and put them under the realm.
This solves the DOS loop problem.
It "solves" a problem you shouldn't be seeing in the first place. Windows "machine" auth usernames are of the form: host/name.domain.com Where is the @REALM coming from?
I am using all of the defaults from a freeradius install. example.com On Mon, Dec 10, 2012 at 5:12 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 12/09/2012 08:18 PM, Dan Letkeman wrote:
SOLVED. Modified my proxy.conf file as per another list post. You cannot just add the 'nostrip' option to the realm. You must remove the home_server and home_server_pool, but keep the options from the home_server and put them under the realm.
This solves the DOS loop problem.
It "solves" a problem you shouldn't be seeing in the first place. Windows "machine" auth usernames are of the form:
host/name.domain.com
Where is the @REALM coming from?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi,
I am using all of the defaults from a freeradius install. [1]example.com
Phils point was that a computer/machine authentication wont be sent with a realm, it will be of the form host/name.domain - where name is the hostname of the computer and domain will be its AD domain... alan
Hi,
I have added 'nostrip' to the realm [1]example.com and it looks like it has problems with that. Possibly some sort of loop?
looks like it, just realm example.com { nostrip } should do - ie take this request locally/directly alan
participants (4)
-
Alan Buxey -
Dan Letkeman -
Matthew Newton -
Phil Mayers