EAP-TLS WinXP, default_md MD5, default_eap_type
The following questions about changing default_md and default_eap_type is solely for the matter that I should have RADIUS work on some Linux-machines and some Windows-machines all of them hopefully with TLS client sertificates mainly. There are some diversities as to MD5 and post SP1 WinXP: http://freeradius.org/doc/EAP-MD5.html QUOTE: Windows XP (before SP1) Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!! EAP-MD5 is only available for wired devices. Go to the Network Connections window. Right-click the connection corresponding to the adapter which is going to use EAP authentication. Go to the "Authentication" tab. If it doesn’t appear (yes, it’s weird sometimes) try to unplug and plug your adapter till it does (if PCMCIA...) Otherwise, download the software for the adapter configuration like e.g. ACU for the Cisco adapters and try to de- and reactivate the card. In the Authentication dialog, assure the box "Use IEEE802.1X network authentication" is checked. Set your EAP type there (EAP/MD5 Challenge). That’s all. Now deactivate and reactivate your LAN-connection on this adapter and it should work. ENDQUOTE. This recommendation is put forth in the etc/raddb/certs/README: QUOTE: MD5 has known weaknesses and is discouraged in favor of SHA1 (see http://www.kb.cert.org/vuls/id/836068 for details). If your network equipment supports the SHA1 signature algorithm, we recommend that you change the "ca.cnf", "server.cnf", and "client.cnf" files to specify the use of SHA1 for the certificates. To do this, change the 'default_md' entry in those files from 'md5' to 'sha1'. ENDQUOTE. In the eap.conf this is put forth: QUOTE: # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } ENDQUOTE. QUESTIONS: ->Should I stick only to the changes of default_md in ca.*,server.*, and client.cnf and leave the eap.conf unchanged, or should I add a module like: sha1 { } or change the md5{} to sha1{} or should it be done differently? . I count for the postulate in eap.conf that: QUOTE: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. ENDQUOTE and therefore I do no not need to change so much in eap.conf ->Should I by all means keep winXP-userclient to a PEAP solution because the nice doc in: http://freeradius.org/doc/EAPTLS.pdf for Windows is outdated or wont work today? It could be that I complicate the matter here by mixing together parts that do not belong to each other, but I have to ask.... -- Si St sigbj-st@operamail.com -- http://www.fastmail.fm - The professional email service
Hello, the MD5 that is used in EAP-MD5 (configured in eap.conf) and the MD5 that is used as a message digest in certificate generation (configured in the .cnf files you mentioned) have *nothing* to do with each other. I.e. you can change one without side-effects on the other. Since there is no EAP-SHA1, it does not make sense to add a sha1 { } section in eap.conf. The replacements for MD5 in EAP are things like TTLS, PEAP, TLS, and others. They are mentioned in eap.conf. If you want to get rid of EAP-MD5, configure one of those. Greetings, Stefan Winter On 11.07.2012 21:17, Si St wrote:
The following questions about changing default_md and default_eap_type is solely for the matter that I should have RADIUS work on some Linux-machines and some Windows-machines all of them hopefully with TLS client sertificates mainly.
There are some diversities as to MD5 and post SP1 WinXP:
http://freeradius.org/doc/EAP-MD5.html QUOTE: Windows XP (before SP1)
Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!! EAP-MD5 is only available for wired devices.
Go to the Network Connections window. Right-click the connection corresponding to the adapter which is going to use EAP authentication. Go to the "Authentication" tab. If it doesn’t appear (yes, it’s weird sometimes) try to unplug and plug your adapter till it does (if PCMCIA...) Otherwise, download the software for the adapter configuration like e.g. ACU for the Cisco adapters and try to de- and reactivate the card.
In the Authentication dialog, assure the box "Use IEEE802.1X network authentication" is checked. Set your EAP type there (EAP/MD5 Challenge).
That’s all. Now deactivate and reactivate your LAN-connection on this adapter and it should work. ENDQUOTE.
This recommendation is put forth in the etc/raddb/certs/README: QUOTE: MD5 has known weaknesses and is discouraged in favor of SHA1 (see http://www.kb.cert.org/vuls/id/836068 for details). If your network equipment supports the SHA1 signature algorithm, we recommend that you change the "ca.cnf", "server.cnf", and "client.cnf" files to specify the use of SHA1 for the certificates. To do this, change the 'default_md' entry in those files from 'md5' to 'sha1'. ENDQUOTE.
In the eap.conf this is put forth: QUOTE: # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } ENDQUOTE.
QUESTIONS: ->Should I stick only to the changes of default_md in ca.*,server.*, and client.cnf and leave the eap.conf unchanged, or should I add a module like: sha1 { } or change the md5{} to sha1{}
or should it be done differently? . I count for the postulate in eap.conf that: QUOTE: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. ENDQUOTE and therefore I do no not need to change so much in eap.conf
->Should I by all means keep winXP-userclient to a PEAP solution because the nice doc in:
http://freeradius.org/doc/EAPTLS.pdf
for Windows is outdated or wont work today?
It could be that I complicate the matter here by mixing together parts that do not belong to each other, but I have to ask....
Can I connect to radius via a router that has a guestzone? It simply means that the router has an extra guestzone interface that also contains choice for PSK or EAP
From the following information I wonder why the radiusd is not responding.Remember I am trying to log in with the radius from the PC where the radius is installed. Radius is on 192.168.0.198 and I am attempting login or request from 192.168.0.198. This may also be a mistake. Maybe there will be a conflict betw 192.168.0.1 = router and 192.168.0.198 localhost. I simply dont know.
The router is a DLINK 655 The OS is SuSE Linux Enterprise Desktop 10, ServPack 3 The radius is the freeradiu-sserver-2.1.12 Here are the fields from this zone in the router: **ROUTER PART** "Use this section to configure the guest zone settings of your router. The guest zone provide a separate network zone for guest to access Internet": --GUEST ZONE SELECTION-- Enable Guest Zone : (Yes) Wireless Band : 2.4GHz Band Wireless Network Name : EAP_sled (Also called the SSID) Enable Routing Between Zones : (No) Security Mode : WPA-Enterprise --WPA-- WPA Mode : Auto (WPA or WPA2) Cipher Type : TKIP and AES Group Key Update Interval : 3600 (seconds) --EAP (802.1x)-- "When WPA enterprise is enabled, the router uses EAP (802.1x) to authenticate clients via a remote RADIUS server." Authentication Timeout : 60 (minutes) RADIUS server IP Address : 192.168.0.198 RADIUS server Port : 1812 RADIUS server Shared Secret : testing123 MAC Address Authentication : No **CLIENT.CONF** Then I change the client.conf from localhost 127.0.0.1 to the IP of the router 192.168.0.1 #client localhost { # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) # ipaddr = 127.0.0.1 # Test with router: client router { # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) ipaddr = 192.168.0.1 # and I keep rest of it as it was. **/ETC/HOSTS/** I put in a line in /etc/hosts/ (I am not sure if it is right or necessary: # IP-Address Full-Qualified-Hostname Short-Hostname 192.168.0.1 router dlink **YAST CONFIG FOR THE USERCLIENT** I change the setup in system (YaST)from PKS key to EAP: --MODUS-- Accesspoint: (Yes) Ad hoc: no Master: no --NETWORKNAME SSID-- EAP_sled --AUTHENTICATION MODUS-- Open: no Shared key: no WPA-EAP (Yes) WPA-PSK: no EAP Modus: TTLS Identity: sigbj (as in /usr/local/etc/raddb/users) Password: testing-0 (as in /usr/local/etc/raddb/users) Anonymous identity: (left open) Client-Sert: (closed) Client-Key: (closed) Client-Key_password: whatever Server-Sert: /usr/local/etc/raddb/certs/server.csr I have made no changes in eap.conf and radius.conf I try to start the radiusd -X with these changes (the previous test on localhost is successful: "Ready to process requests." And radtest test gives the right feedback:Sending Access-Accept of id 178 to 127.0.0.1 port 1932,so this test part works) Some of the messages from the radiusd -X with the changed client.conf: ........ radiusd: #### Loading Clients #### client router { ipaddr = 192.168.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" ............. ... adding new socket proxy address * port 1047 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. radtest gives this: Sending Access-Request of id 207 to 127.0.0.1 port 1812 User-Name = "sigbj" User-Password = "testing-0" NAS-IP-Address = 192.168.0.198 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 radclient: no response from server for ID 207 socket 3 and radiusd consequently: Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 1048 Trying to login with the Knetworkmanager (KDE) on to the network gives no reaction on the server, server is just waiting, the knetworkmanager may blink or just dryrun. I have a feeling that the server is listening on the 127.0.0.1 instead on 192.168.0.1, but do not know I am of course doing a typical newbie mistake somewhere, but I do not know what. IF YOU NEED THE WHOLE RADIUSD -X LOG AT THIS POINT, PLEASE TELL ME. I have given this explanations to begin with. The problems may also be that a router of this kind cannot be used on freeradius or that the router is 100% "Windows-messed-up". -- Si St sigbj-st@operamail.com -- http://www.fastmail.fm - A no graphics, no pop-ups email service
participants (2)
-
Si St -
Stefan Winter