RE: I can't get 'access-accept' from Linux clients
...
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ...
You can't use encrypted passwords with EAP-MD5. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP
2008/1/10, Ivan Kalik <tnt@kalik.co.yu>:
...
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)? TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type. Ivan Kalik Kalik Informatika ISP Dana 11/1/2008, "Sergio Belkin" <sebelk@gmail.com> piše:
2008/1/10, Ivan Kalik <tnt@kalik.co.yu>:
...
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)?
TIA
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.co.yu wrote:
Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type.
Ivan Kalik Kalik Informatika ISP
Dana 11/1/2008, "Sergio Belkin" <sebelk@gmail.com> piše:
2008/1/10, Ivan Kalik <tnt@kalik.co.yu>:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)?
EAP-TTLS with PAP inner encryption. Though you'd need to use SecureW2 or the Open SEA supplicant for the windows side. Otherwise you'd need NT-Hashes for MSChap based methods, or the password stored in the clear.
TIA
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
2008/1/11, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
tnt@kalik.co.yu wrote:
Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type.
Ivan Kalik Kalik Informatika ISP
Dana 11/1/2008, "Sergio Belkin" <sebelk@gmail.com> piše:
2008/1/10, Ivan Kalik <tnt@kalik.co.yu>:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)?
EAP-TTLS with PAP inner encryption.
But is is possible configure that so? If I tried default_eap_type = pap and radius didn't start. In fact in Fedora 8 I have configured PAP as inner Authentication ("Wireless Network Secrets Required" dialog box") with wpa_supplicant running.
Though you'd need to use SecureW2 or the Open SEA supplicant for the windows side.
Sure, i use securew3 for windows clients.
Otherwise you'd need NT-Hashes for MSChap based methods, or the password stored in the clear.
Last option is not suitable for :(
TIA
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
Sergio Belkin wrote:
EAP-TTLS with PAP inner encryption.
But is is possible configure that so? If I tried default_eap_type = pap and radius didn't start.
PAP is not an EAP type. The documentation makes this clear: # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. In fact, you shouldn't have to do *anything* for PAP to work inside of a TTLS tunnel. Alan DeKok.
2008/1/11, Alan DeKok <aland@deployingradius.com>:
Sergio Belkin wrote:
EAP-TTLS with PAP inner encryption.
But is is possible configure that so? If I tried default_eap_type = pap and radius didn't start.
PAP is not an EAP type. The documentation makes this clear:
# If the request does not contain an EAP # conversation, then this configuration entry # is ignored.
In fact, you shouldn't have to do *anything* for PAP to work inside of a TTLS tunnel.
Alan DeKok. -
Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel does mean that passwords goes unencrypted? TIA -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
Sergio Belkin wrote:
Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel
Then you are not using securew2. When you use TTLS + PAP, the passwords go in the tunnel. Alan DeKok.
2008/1/11, Alan DeKok <aland@deployingradius.com>:
Sergio Belkin wrote:
Alan, Thanks for clear up the confusion about EAP and PAP. But still I don't understand this: Now I have a windows client working using securew2 with PAP. If PAP is not into the tunnel
Then you are not using securew2.
It was about a question not a statement :)
When you use TTLS + PAP, the passwords go in the tunnel.
Ok thanks for your answer, that it was I was asking :)
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
2008/1/11, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
tnt@kalik.co.yu wrote:
Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type.
Ivan Kalik Kalik Informatika ISP
Dana 11/1/2008, "Sergio Belkin" <sebelk@gmail.com> piše:
2008/1/10, Ivan Kalik <tnt@kalik.co.yu>:
...
rlm_ldap: Added password
{SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)?
EAP-TTLS with PAP inner encryption.
Though you'd need to use SecureW2 or the Open SEA supplicant for the windows side.
Otherwise you'd need NT-Hashes for MSChap based methods
Sorry for the stupid and moron question, but how should I do that? Of course I don't ask you that you tell me the step by step, only a clue to follow... thanks in advance , or the password
stored in the clear.
TIA
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk)
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
Yes, but my "beloved" boss want to use encrypted password in ldap :( 2008/1/11, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Store cleartext passwords and all eap types will work. Real problem is the encrypted password not the eap type.
Ivan Kalik Kalik Informatika ISP
Dana 11/1/2008, "Sergio Belkin" <sebelk@gmail.com> piše:
2008/1/10, Ivan Kalik <tnt@kalik.co.yu>:
...
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items ... rlm_eap_md5: User-Password is required for EAP-MD5 authentication ...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik Kalik Informatika ISP
Thanks Ivan! So what default eap type should I use in mixed environment (I mean: Linux and Windows Clientes)?
TIA
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin -
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Ivan Kalik -
Sergio Belkin -
tnt@kalik.co.yu