Hi again people, so a week ago i posted here a problem with 802.1x i had and it turned to be all my users were MD5 password, so that was my problem.Today i created a new DB on a test server, changed on sql.conf and tested.Im getting this error, i tried to understand that, BUT im kinda a newbie on freeradius + linux (i started to learn 1 month ago) and couldnt find the error.I dont know if the error is on MYSQL or freeradius... Appreciate anything you guys can help me!Thanks in advance. nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' AND ( id_tp_usuario in (1, 2, 3) OR ( id_tp_usuario = 4 AND dt_ingresso <= CURDATE() AND dt_egresso >= CURDATE() ) ) ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" }rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql): Attempting to connect to root@localhost:/radiusrlm_sql (sql): starting 0rlm_sql (sql): Attempting to connect rlm_sql_mysql #0rlm_sql_mysql: Starting connect to MySQL server for #0rlm_sql (sql): Connected new DB handle, #0rlm_sql (sql): starting 1rlm_sql (sql): Attempting to connect rlm_sql_mysql #1rlm_sql_mysql: Starting connect to MySQL server for #1rlm_sql (sql): Connected new DB handle, #1rlm_sql (sql): starting 2rlm_sql (sql): Attempting to connect rlm_sql_mysql #2rlm_sql_mysql: Starting connect to MySQL server for #2rlm_sql (sql): Connected new DB handle, #2rlm_sql (sql): starting 3rlm_sql (sql): Attempting to connect rlm_sql_mysql #3rlm_sql_mysql: Starting connect to MySQL server for #3rlm_sql (sql): Connected new DB handle, #3rlm_sql (sql): starting 4rlm_sql (sql): Attempting to connect rlm_sql_mysql #4rlm_sql_mysql: Starting connect to MySQL server for #4rlm_sql (sql): Connected new DB handle, #4rlm_sql (sql): Processing generate_sql_clientsrlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nasrlm_sql (sql): Reserving sql socket id: 4rlm_sql (sql): Read entry nasname=172.23.54.2,shortname=ruckus-controller,secret=t3st3rlm_sql (sql): Adding client 172.23.54.2 (ruckus-controller, server=<none>) to clients listrlm_sql (sql): Released sql socket id: 4 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules} # serverserver { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_sql_log Module: Instantiating module "sql_log" from file /etc/freeradius/modules/sql_log sql_log { path = "/var/log/freeradius/radacct/sql-relay" Post-Auth = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S');" sql_user_name = "%{%{User-Name}:-DEFAULT}" utf8 = no safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules} # serverradiusd: #### Opening IP addresses and Ports ####listen { type = "auth" ipaddr = * port = 0}listen { type = "acct" ipaddr = * port = 0}listen { type = "auth" ipaddr = 127.0.0.1 port = 18120}Listening on authentication address * port 1812Listening on accounting address * port 1813Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnelListening on proxy address * port 1814Ready to process requests.rad_recv: Access-Request packet from host 172.23.54.2 port 32777, id=52, length=206 User-Name = "user" Calling-Station-Id = "00-22-43-09-43-BD" NAS-IP-Address = 172.23.54.2 NAS-Port = 1 Called-Station-Id = "68-92-34-91-91-48:UNIFEBE-1X" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "68-92-34-91-91-48" Connect-Info = "CONNECT 802.11b/g" WISPr-Location-Name = "2o-Andar" EAP-Message = 0x020000090175736572 Vendor-25053-Attr-3 = 0x554e49464542452d3158 Message-Authenticator = 0x53dcd42dc46e9bee1e5538df27c8ae45# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = "user", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] EAP packet type response id 0 length 9[eap] No EAP Start, assuming it's an on-going EAP conversation++[eap] returns updated++[unix] returns notfound++[files] returns noop[sql] expand: %{User-Name} -> user[sql] sql_set_user escaped user --> 'user'rlm_sql (sql): Reserving sql socket id: 3[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' AND ( id_tp_usuario in (1, 2, 3) OR ( id_tp_usuario = 4 AND dt_ingresso <= CURDATE() AND dt_egresso >= CURDATE() ) ) ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user' AND ( id_tp_usuario in (1, 2, 3) OR ( id_tp_usuario = 4 AND dt_ingresso <= CURDATE() AND dt_egresso >= CURDATE() ) ) ORDER BY idrlm_sql_mysql: MYSQL check_error: 1054 receivedrlm_sql_getvpdata: database query error[sql] SQL query error; rejecting userrlm_sql (sql): Released sql socket id: 3++[sql] returns failInvalid user: [user/<via Auth-Type = EAP>] (from client ruckus-controller port 1 cli 00-22-43-09-43-BD)Using Post-Auth-Type Reject# Executing group from file /etc/freeradius/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 0 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.Sending delayed reject for request 0Sending Access-Reject of id 52 to 172.23.54.2 port 32777Waking up in 4.9 seconds.Cleaning up request 0 ID 52 with timestamp +205Ready to process requests.
Well, thanks both of you. Since im not designated to take care of DB i didnt knew about that.The problem was with Freeradius, my DB was correct.The problem was the following: when the prople gave me this Freeradius to test they edited the dialup.conf to add more attributes on the sql, so i just turned everything to the original.Thanks a lot everyone, now 802.1x + freeradius is working perfectly.Now i just need to tell them we need to duplicate our DB and do all password again with cleartext or other supported by microsoft.
Is there any way a Microsoft Notebook authenticate using MD5 or PAP ?By default is only EAP (PEAP) or card/certificate, i need to know if there is anything you guys know that makes windows works on PAP or MD5...Im searching on internet right now to see if i can find, anyways i leave the question open here to anyone who knows.
Brekler Custodio wrote:
Is there any way a Microsoft Notebook authenticate using MD5 or PAP ?
For WiFi? No.
By default is only EAP (PEAP) or card/certificate, i need to know if there is anything you guys know that makes windows works on PAP or MD5...
No.
Im searching on internet right now to see if i can find, anyways i leave the question open here to anyone who knows.
It's impossible. Alan DeKok.
Thanks Alan.On my research i found the same aswek as you said. I found this link...http://support.microsoft.com/kb/922574/en-us That teachs how to re-enable MD5, but didnt worked, so to solve the problem is simple, change our DB.Thanks a lot guys!
I haven't tested it, but I found XSupplicant (http://open1x.sourceforge.net/), and it seems to enable 802.11x authentication with PAP, even on e.g. Windows XP Home machines that don't support 802.11x out of the box. That's what they say anyway. Le 30/11/2012 17:23, Brekler Custodio a écrit :
Is there any way a Microsoft Notebook authenticate using MD5 or PAP ? By default is only EAP (PEAP) or card/certificate, i need to know if there is anything you guys know that makes windows works on PAP or MD5... Im searching on internet right now to see if i can find, anyways i leave the question open here to anyone who knows.
Yes we can. It depends of your system version. On windows seven, PAP is possible. On my windows XP it s not possible. After you can install some drivers or softs mangers for wireless cards wich implements other protocols. From: brekler88@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: 802.1x Issue Date: Fri, 30 Nov 2012 16:23:46 +0000 Is there any way a Microsoft Notebook authenticate using MD5 or PAP ?By default is only EAP (PEAP) or card/certificate, i need to know if there is anything you guys know that makes windows works on PAP or MD5...Im searching on internet right now to see if i can find, anyways i leave the question open here to anyone who knows. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well, lets say its not possible... since we are an university, with something about 600 conections every night, with lots of O.S working (70% windows), it would be kinda hard to configure every single computer with a software.Its better to make a new DB with new passwords on EAP and use a .bat + xml profile to configure windows notebooks.
On Fri, Nov 30, 2012 at 09:18:13PM +0000, Brekler Custodio wrote:
Its better to make a new DB with new passwords on EAP and use a .bat + xml profile to configure windows notebooks.
Rather than .bat + xml to do it, there are more user-friendly front-ends available. The main eduroam one (but not limited to eduroam of course) is su1x (http://sourceforge.net/projects/su1x/). I found that had too many features for my liking, and it does confuse some of our users (we still use it at the moment). I put together an MSI installer instead (warning - not well tested) https://github.com/mcnewton/edusetup which is intended to be simpler to use - it follows what they usually expect for an "install". It depends on your user base, but giving a .bat file to our users just wouldn't work (they seem to find it hard enough to follow instructions on how to run a .exe)... Of course, if they are managed Windows devices (especially as part of a windows domain), then EAP-TLS can also be another good option. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Rather than .bat + xml to do it, there are more user-friendly front-ends available. The main eduroam one (but not limited to eduroam of course) is su1x (http://sourceforge.net/projects/su1x/).
I found that had too many features for my liking, and it does confuse some of our users (we still use it at the moment). I put together an MSI installer instead (warning - not well tested) https://github.com/mcnewton/edusetup which is intended to be simpler to use - it follows what they usually expect for an "install".
Well The idea is good, but the .bat would make everything. I configured a 802.1x connection here, then i used netsh to export the profile and save it with a nice name.So the instructions for now are clear. "put the file on C:\ and double click the wireless.bat" So the wireless will delete any profile with the same name and import the new profile. tested on a few windows 7 and worked fine, waiting to test on windows XP and windows 8. But sound nice your idea! Thanks a lot
Have you guys hear about SecureW2 ?People from Cloudpath Networks said they can make it work MD5 hash passwords on 802.1x with TTLS-PAP.They said i can make it work aswell with EAP-TLS via certificates and PKI.Is that correct ? Have anyone tested that before ?
On 03/12/12 16:04, Brekler Custodio wrote:
Have you guys hear about SecureW2 ?
Yes. It's a supplicant (or plugin? I can't remember) with support for EAP-TTLS/PAP on older versions of windows.
People from Cloudpath Networks said they can make it work MD5 hash passwords on 802.1x with TTLS-PAP. They said i can make it work aswell with EAP-TLS via certificates and PKI. Is that correct ? Have anyone tested that before ?
I think that's correct. It used to be quite popular, until the license changed.
Hi,
Have you guys hear about SecureW2 ? People from Cloudpath Networks said they can make it work MD5 hash passwords on 802.1x with TTLS-PAP. They said i can make it work aswell with EAP-TLS via certificates and PKI. Is that correct ? Have anyone tested that before ?
i'll repeat what was already said in this thread: "Old Windows systems need an extra supplicant to do other forms of EAP such as EAP-TTLS/PAP - eg open1X or SecureW2 - Windows 8 now natively supports such EAP methods " so...yes, if you have a backend constraint then you can get around this by making your customers install a 3rd party program to allow eg EAP-TTLS/PAP to be used - which means you can use eg MD5 passwords in the backend. your level of success with such 3rd party supplicants will be mixed and varied...sometimes it wont install, sometimes it has issues with the wireless drivers. alan
i'll repeat what was already said in this thread:
"Old Windows systems need an extra supplicant to do other forms of EAP such as EAP-TTLS/PAP - eg open1X or SecureW2 - Windows 8 now natively supports such EAP methods "
Ohhh now i understand what you mean. good to know.
your level of success with such 3rd party supplicants will be mixed and varied...sometimes it wont install, sometimes it has issues with the wireless drivers. So would you recommend ? Your opinion above looks like you wouldnt do that, since it may not work. Kinda complicated, since we are an university, and need to work with everyone.
On 3 Dec 2012, at 17:17, Brekler Custodio <brekler88@hotmail.com> wrote:
i'll repeat what was already said in this thread:
"Old Windows systems need an extra supplicant to do other forms of EAP such as EAP-TTLS/PAP - eg open1X or SecureW2 - Windows 8 now natively supports such EAP methods "
Ohhh now i understand what you mean. good to know.
your level of success with such 3rd party supplicants will be mixed and varied...sometimes it wont install, sometimes it has issues with the wireless drivers.
So would you recommend ? Your opinion above looks like you wouldnt do that, since it may not work. Kinda complicated, since we are an university, and need to work with everyone.
1) Setup a conversion portal where users can get their passwords rehashed into NT4-Password format, store those passwords in a database or LDAP directory. 2) Buy the cloudpath client, or use one of the other desolvable clients, use it to configure the native windows supplicant. 3) Hire someone who knows what they're doing to fix broken supplicant issues on your help desk. In my experience if you do those three things you will minimise the seathing hatred of your users. If you implement eduroam so they can get on Facebook at other Universities then they might even like you a bit, once they realise what it's for. -Arran
Hi,
So would you recommend ? Your opinion above looks like you wouldnt do that, since it may not work. Kinda complicated, since we are an university, and need to work with everyone.
we are a university and we avoid using any extra programs/utils to perform such duties (especially as the OSes now have 802.1X support natively. we were involved in the OpenSEA alliance a while back and helped evolve the open1x tool but until theres a must-have and compelling reason to go for such a tool (eg perhaps integrated single sign-on with applications via moonshot) then take the basic default OS 802.1X where you can. I believe that SecureW2 was popular in many european countries for eduroam but that has receeded too (and older pre-licence change version is what is used) alan
On 3 Dec 2012, at 17:31, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
So would you recommend ? Your opinion above looks like you wouldnt do that, since it may not work. Kinda complicated, since we are an university, and need to work with everyone.
we are a university and we avoid using any extra programs/utils to perform such duties (especially as the OSes now have 802.1X support natively. we were involved in the OpenSEA alliance a while back and helped evolve the open1x tool but until theres a must-have and compelling reason to go for such a tool (eg perhaps integrated single sign-on with applications via moonshot) then take the basic default OS 802.1X where you can. I believe that SecureW2 was popular in many european countries for eduroam but that has receeded too (and older pre-licence change version is what is used)
That's not to say using a disolvable configuration tool to configure the native supplicant is a bad thing, just that using 3rd party supplicants never seems to work as well as it should. Given enough students you'll find one with wireless drivers that SecureW2 or Open1x refuses to play nicely with. Most times you will be able to get the native supplicant working given enough prodding, but prodding on a large scale is unfeasable without some kind of automated tool, because students are really really bad at following instructions. What ever happened to Open1X anyway, last update in 2011, is it pretty much dead now? -Arran
Hi,
Most times you will be able to get the native supplicant working given enough prodding, but prodding on a large scale is unfeasable without some kind of automated tool, because students are really really bad at following instructions.
oh yes, I agree with that - configuration deployment tool = big yes! - 3rd party suppliance = big no ;-)
What ever happened to Open1X anyway, last update in 2011, is it pretty much dead now?
ISTR that they got bogged down with the whole TNC/posture vaidation thing.....the initial product coming from a company that got divided into the wind (Identity Engines IIRC) - with the opensea alliance just pretty much gone save for some google cached pages and wayback engine storage space. back in 2007 the 802.1X space was a different beast. alan
Hi,
Well, lets say its not possible... since we are an university, with something about 600 conections every night, with lots of O.S working (70%
we are a university with around 6500 concurrent wireless users and 5000 concurrent wired connections in the student residential network.
windows), it would be kinda hard to configure every single computer with a software. Its better to make a new DB with new passwords on EAP and use a .bat + xml profile to configure windows notebooks.
we use a profile deployment tool - our current choice is cloudpath Xpressconnect - which does its job. our Windows clients are configured to use standard microsoft PEAP PEAPv0/MSCHAPv2 - our backend authentication is Microsoft ActiveDirectory - our FreeRADIUS servers authenticate the users via the AD - and we have a post-auth PERL script which does some checks and then, if eg a student - puts them onto a student VLAN. all basic 802.1X and AAA stuff. we are also a member of eduroam - so visitors to our campus who are also from eduroam sites just get online - most without even realising as they have en eduroam profile on their smartphone or tablet. zero config 'open laptop and be online' - all done by the same FreeRADIUS architecture. Old Windows systems need an extra supplicant to do other forms of EAP such as EAP-TTLS/PAP - eg open1X or SecureW2 - Windows 8 now natively supports such EAP methods - so those new surface tablets should make life easier. Just ensure that your settings are actually secure on the clients - ie ensure that the clients are set to trust the CA of your RADIUS server and are set to have the CN of your RADIUS server. alan
Nice, but the thing is, our freeradius is working with a linux DB... IF it was an AD would be much easyer, since everything on Microsoft works fine with other Microsoft O.S.So we really need to make a new DB without MD5.But good to know about what you guys did there.
participants (8)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Brekler Custodio -
Hoggins! -
Matthew Newton -
Phil Mayers -
vazoumana fofana