Freeradius authentification against Kerberos
Hi, I’m a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5. I use FreeRadius 2.1.12 But now I got everytime the error: „no authenticate method (Auth-Type) found for the request“. So every user got a reject. I setup the server like explained at this tutorial from eduroam.us: https://www.eduroam.us/node/45 My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work. Can anyone help me, please? I attached the logs. Thanks, and best Benjamin.
AFAIK, Kerberos needs PAP authentication, so PEAP with MSCHAPv2 is already off the table. Kerberos is an authentication oracle, so it requires the plain-text password for the user. MSCHAPv2 does not expose that password. Stefan From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Benjamin Stahl Sent: 23 July 2014 14:55 To: Freeradius Mailing-List Subject: Freeradius authentification against Kerberos Hi, I’m a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5. I use FreeRadius 2.1.12 But now I got everytime the error: „no authenticate method (Auth-Type) found for the request“. So every user got a reject. I setup the server like explained at this tutorial from eduroam.us<http://eduroam.us>: https://www.eduroam.us/node/45 My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work. Can anyone help me, please? I attached the logs. Thanks, and best Benjamin. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Benjamin Stahl Sent: Wednesday, July 23, 2014 9:55 AM To: Freeradius Mailing-List Subject: Freeradius authentification against Kerberos Hi, I’m a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5. I use FreeRadius 2.1.12 Please use 2.2.5 if you can. But now I got everytime the error: „no authenticate method (Auth-Type) found for the request“. So every user got a reject. I setup the server like explained at this tutorial from eduroam.us<http://eduroam.us>: https://www.eduroam.us/node/45 Under authenticate {}, make sure you have following lines: Auth-Type PAP { pap } Auth-Type Kerberos { krb5 } My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work. Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS. Can anyone help me, please? I attached the logs. Thanks, and best Benjamin.
Hey thanks for your fast answer. As a Windows 7 client, i can only authentificate PEAP - MSCHAPv2, right? I looked at the network settings, i did not find EAP-TTLS. Is it right?
Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS.
Am 23.07.2014 um 17:10 schrieb Wang, Yu <ywang10@fsu.edu>:
From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Benjamin Stahl Sent: Wednesday, July 23, 2014 9:55 AM To: Freeradius Mailing-List Subject: Freeradius authentification against Kerberos
Hi,
I’m a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5. I use FreeRadius 2.1.12
Please use 2.2.5 if you can.
But now I got everytime the error: „no authenticate method (Auth-Type) found for the request“. So every user got a reject. I setup the server like explained at this tutorial from eduroam.us: https://www.eduroam.us/node/45
Under authenticate {}, make sure you have following lines:
Auth-Type PAP { pap } Auth-Type Kerberos { krb5 }
My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work.
Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS.
Can anyone help me, please?
I attached the logs.
Thanks, and best Benjamin.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Benjamin, Windows 7 does not support EAP-TTLS out of the box. You have to install a third-party supplicant (SecureW2 appears to be the favourite) to gain EAP-TTLS support. Stefan From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Benjamin Stahl (TH-Wildau.de) Sent: 23 July 2014 16:54 To: FreeRadius users mailing list Subject: Re: Freeradius authentification against Kerberos Hey thanks for your fast answer. As a Windows 7 client, i can only authentificate PEAP - MSCHAPv2, right? I looked at the network settings, i did not find EAP-TTLS. Is it right? Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS. Am 23.07.2014 um 17:10 schrieb Wang, Yu <ywang10@fsu.edu<mailto:ywang10@fsu.edu>>: From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org<mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org> [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Benjamin Stahl Sent: Wednesday, July 23, 2014 9:55 AM To: Freeradius Mailing-List Subject: Freeradius authentification against Kerberos Hi, I'm a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5. I use FreeRadius 2.1.12 Please use 2.2.5 if you can. But now I got everytime the error: "no authenticate method (Auth-Type) found for the request". So every user got a reject. I setup the server like explained at this tutorial from eduroam.us<http://eduroam.us/>: https://www.eduroam.us/node/45 Under authenticate {}, make sure you have following lines: Auth-Type PAP { pap } Auth-Type Kerberos { krb5 } My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work. Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS. Can anyone help me, please? I attached the logs. Thanks, and best Benjamin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Hi everybody, thank you very much for your help. Is possible to configure both variants? EAP-TTLS and PEAP-MSCHAPv2. I got EAP-TTLS work under Ubuntu-Client with TTLS. Can you give me a info how i can connect Winbind to the NT-Domain? Thanks. Am 23.07.2014 um 18:25 schrieb Stefan Paetow <Stefan.Paetow@ja.net>:
Hi Benjamin,
Windows 7 does not support EAP-TTLS out of the box. You have to install a third-party supplicant (SecureW2 appears to be the favourite) to gain EAP-TTLS support.
Stefan
Hi Benjamin Am 24.07.2014 um 07:29 schrieb Benjamin Stahl (TH-Wildau.de):
Is possible to configure both variants? EAP-TTLS and PEAP-MSCHAPv2. I got EAP-TTLS work under Ubuntu-Client with TTLS. Yes, FreeRADIUS actually can enable multiple EAP methods on the same server, you just need to configure them (and not disable them - most pre-packaged default configs enable all modules)
Can you give me a info how i can connect Winbind to the NT-Domain? Thanks. Is it a NT4-style domain or Active Directory?
If it is AD, look up the howtos on the FreeRADIUS wiki and Alan's deployingradius.com. Samba 4 Domains behave like Microsoft AD. These howtos are pretty complete as it's a common and regularly asked use case. If it is a Samba 3 NT4-style domain, things might be different with winbind. (haven't done that) -- Mathieu
Is it a NT4-style domain or Active Directory? We have a Active Directory
Thanks I will look at the wiki Am 24.07.2014 um 08:29 schrieb Mathieu Simon (Lists) <matsimon.lists@simweb.ch>:
Hi Benjamin
Am 24.07.2014 um 07:29 schrieb Benjamin Stahl (TH-Wildau.de):
Is possible to configure both variants? EAP-TTLS and PEAP-MSCHAPv2. I got EAP-TTLS work under Ubuntu-Client with TTLS. Yes, FreeRADIUS actually can enable multiple EAP methods on the same server, you just need to configure them (and not disable them - most pre-packaged default configs enable all modules)
Can you give me a info how i can connect Winbind to the NT-Domain? Thanks. Is it a NT4-style domain or Active Directory?
If it is AD, look up the howtos on the FreeRADIUS wiki and Alan's deployingradius.com. Samba 4 Domains behave like Microsoft AD. These howtos are pretty complete as it's a common and regularly asked use case.
If it is a Samba 3 NT4-style domain, things might be different with winbind. (haven't done that)
-- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes, absolutely. Set the TTLS default_eap_type to mschapv2 and you should be ok... you will need to use SAMBA on the FreeRADIUS box to talk to ActiveDirectory, but the instructions that Alan DeKok has at http://deployingradius.com/documents/configuration/active_directory.html are pretty concise and explanatory. Alternatively, read http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW... (which apparently was updated 2 days ago). :-) One thing that you have to be aware of (which Alan does not mention but the How-To on the FreeRADIUS site does) is that you must grant read access for the freerad user (on Ubuntu, radiusd on RHEL systems) to the winbindd_privileged directory. One way is to add the user to the winbind group (I think it's wbpriv on RHEL, might be similar on Ubuntu), otherwise you will get an error from ntlm_auth when it attempts an authentication when running as user radiusd/freerad. But if you follow the instructions, it is easy to integrate FreeRADIUS with AD. Stefan From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Benjamin Stahl (TH-Wildau.de) Sent: 24 July 2014 06:29 To: FreeRadius users mailing list Subject: Re: Freeradius authentification against Kerberos Importance: High Hi everybody, thank you very much for your help. Is possible to configure both variants? EAP-TTLS and PEAP-MSCHAPv2. I got EAP-TTLS work under Ubuntu-Client with TTLS. Can you give me a info how i can connect Winbind to the NT-Domain? Thanks. Am 23.07.2014 um 18:25 schrieb Stefan Paetow <Stefan.Paetow@ja.net<mailto:Stefan.Paetow@ja.net>>: Hi Benjamin, Windows 7 does not support EAP-TTLS out of the box. You have to install a third-party supplicant (SecureW2 appears to be the favourite) to gain EAP-TTLS support. Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
You can use third party plugins but I strongly discourage you to use EAP-TTLS with Kerberos/PAP because it has security holes. We use FreeRadius and NTLM. In searching more efficient method than NTLM, I looked into EAP-TTLS with Kerberos but a brother university network engineer showed me how a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I completely abandoned the idea of using it. For your environment, PEAP MSCHAPv2 will work. Yu Wang ____________________________ Network Architect Information Technology Services The Florida State University 850-645-6810 yu.wang@fsu.edu From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Benjamin Stahl (TH-Wildau.de) Sent: Wednesday, July 23, 2014 11:54 AM To: FreeRadius users mailing list Subject: Re: Freeradius authentification against Kerberos Hey thanks for your fast answer. As a Windows 7 client, i can only authentificate PEAP - MSCHAPv2, right? I looked at the network settings, i did not find EAP-TTLS. Is it right? Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS. Am 23.07.2014 um 17:10 schrieb Wang, Yu <ywang10@fsu.edu<mailto:ywang10@fsu.edu>>: From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org<mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org> [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Benjamin Stahl Sent: Wednesday, July 23, 2014 9:55 AM To: Freeradius Mailing-List Subject: Freeradius authentification against Kerberos Hi, I'm a newbie with Freeserver. It is my first time with it. I try to make a configuration against Kerberos with your freeradius-server on centOS 6.5. I use FreeRadius 2.1.12 Please use 2.2.5 if you can. But now I got everytime the error: "no authenticate method (Auth-Type) found for the request". So every user got a reject. I setup the server like explained at this tutorial from eduroam.us<http://eduroam.us/>: https://www.eduroam.us/node/45 Under authenticate {}, make sure you have following lines: Auth-Type PAP { pap } Auth-Type Kerberos { krb5 } My problem is also that a PEAP - MSCHAPv2 auth from a Windows 7 - PC does not work. Cannot use PEAP MSCHAPv2. You have to use EAP-TTLS. Can anyone help me, please? I attached the logs. Thanks, and best Benjamin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wang, Yu wrote:
You can use third party plugins but I strongly discourage you to use EAP-TTLS with Kerberos/PAP because it has security holes.
Not really.
We use FreeRadius and NTLM.
It's 2014. MS-CHAP is only slightly harder to crack than PAP.
In searching more efficient method than NTLM, I looked into EAP-TTLS with Kerberos but a brother university network engineer showed me how a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I completely abandoned the idea of using it.
Please enlighten me. Alan DeKok.
On Jul 23, 2014, at 3:47 PM, Alan DeKok <aland@deployingradius.com> wrote:
Wang, Yu wrote:
You can use third party plugins but I strongly discourage you to use EAP-TTLS with Kerberos/PAP because it has security holes.
Not really.
We use FreeRadius and NTLM.
It's 2014. MS-CHAP is only slightly harder to crack than PAP.
In searching more efficient method than NTLM, I looked into EAP-TTLS with Kerberos but a brother university network engineer showed me how a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I completely abandoned the idea of using it.
Please enlighten me.
Just to clarify for those reading the mailing list archives. The OP doesn’t really understanding what he’s talking about. TTLS-PAP is secure in itself. He is referring to MITMA executed by a rogue AP. As Alan the Alans state, MS-CHAP (PEAP/TTLS-MSCHAPv2) is only slightly harder to crack with a similar attack. A modified version of FreeRADIUS was released to enable exactly those sorts of attacks a few years ago. Don’t stop using TTLS-PAP, it’s fine. -Arran
-----Original Message----- From: freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, July 24, 2014 10:41 AM To: FreeRadius users mailing list Subject: Re: Freeradius authentification against Kerberos On Jul 23, 2014, at 3:47 PM, Alan DeKok <aland@deployingradius.com> wrote:
Wang, Yu wrote:
You can use third party plugins but I strongly discourage you to use EAP-TTLS with Kerberos/PAP because it has security holes.
Not really.
We use FreeRadius and NTLM.
It's 2014. MS-CHAP is only slightly harder to crack than PAP.
In searching more efficient method than NTLM, I looked into EAP-TTLS with Kerberos but a brother university network engineer showed me how a hacker could steal user passwords easily with EAP-TTLS/Kerberos. I completely abandoned the idea of using it.
Please enlighten me.
Just to clarify for those reading the mailing list archives. The OP doesn't really understanding what he's talking about. TTLS-PAP is secure in itself. He is referring to MITMA executed by a rogue AP.
Yes, I was referring to MITM with a rogue AP broadcasting campus SSID and harvest username and password sent in clear.
As Alan the Alans state, MS-CHAP (PEAP/TTLS-MSCHAPv2) is only slightly harder to crack with a similar attack.
It is slightly better than cleartext password. The hacker has to crack it vs just uses it right away.
A modified version of FreeRADIUS was released to enable exactly those sorts of attacks a few years ago. Don't stop using TTLS-PAP, it's fine. MITMA is a reality, especially in academic environment. Do you have other safer options? EAP-TLS is very safe but can be costly.
Yu
Ensure that your clients are properly configured. Verify the CA (use a private CA ) and check the server name. EAP-TLS or EAP-PWD are the options otherwise. EAP-TLS had most client support but can be time consuming (it can certainly be free! ) alan
Wang, Yu wrote:
Yes, I was referring to MITM with a rogue AP broadcasting campus SSID and harvest username and password sent in clear.
EAP doesn't work like that. The only way to harvest the username and password is: 1) the AP has a copy of your server certificate (i.e. they've stolen it) 2) the user checks the "do not validate server certificate" box in their EAP configuration.
MITMA is a reality, especially in academic environment.
PEAP and TTLS are designed to keep passwords secret from observers. TLS is designed to make MITM attacks impossible. So... whoever told you that TTLS was insecure didn't know what they are talking about. It's fine. Alan DeKok.
If the client is poorly configured. If the client is correctly configured then it's secure. That is, using a private CA, ensuring the client is configured to trust the CA and has the commonname of the server cert. alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (8)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Benjamin Stahl -
Benjamin Stahl (TH-Wildau.de) -
Mathieu Simon (Lists) -
Stefan Paetow -
Wang, Yu