The only computer in our office which causes certificate errors is a Windows 7 machine. So I attempted to connect using EAP/TTLS and MSCHAPv2 using my linux machine and my Android phone. Now I get a different error. I also tried using PEAP on my Android phone, and received no certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server? Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection? ++[pam] returns invalid or [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid log follows---- server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} rlm_pam: Attribute "User-Password" is required for authentication. ++[pam] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 cli B4-07-F9-F2-99-F6) Using Post-Auth-Type Reject
Steve Windows is trying to validate the server Cert. By default we have server Cert Validation enabled. You can disable this from the properties. Regards Aman Arneja On Wed, May 30, 2012 at 1:47 AM, Steve Hopps <steve.hopps@gmail.com> wrote:
The only computer in our office which causes certificate errors is a Windows 7 machine. So I attempted to connect using EAP/TTLS and MSCHAPv2 using my linux machine and my Android phone. Now I get a different error.
I also tried using PEAP on my Android phone, and received no certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server?
Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection?
++[pam] returns invalid
or
[eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid
log follows----
server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAM # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} rlm_pam: Attribute "User-Password" is required for authentication. ++[pam] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client -REMOVED- port 0 cli B4-07-F9-F2-99-F6) Using Post-Auth-Type Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server?
authentication is between the client and the server - mediated over 802.1X by the Access point. thats why your client has a supplicant on it..
Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection?
Win7 will be EAP-PEAPv0/MSCHAPv2
++[pam] returns invalid
user/pass in pam?
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request.
thats kind of a big clue. dont do that. it breaks things. just define the realm in proxy.conf with no place eg realm whatever.com { }
rlm_pam: Attribute "User-Password" is required for authentication.
you've forced the server to use PAM? MSCHAPv2 doesnt provide 'User-Password' so wont work. what ARE you trying to do? alan
But according to the configuration file: # The "suffix" module takes care of stripping the domain # (e.g. "@example.com") from the User-Name attribute, and the # next few lines ensure that the request is not proxied. # # If you want the inner tunnel request to be proxied, delete # the next few lines. # update control { Proxy-To-Realm := LOCAL } So I'm confused, what's the right way to handle this situation? On Tue, May 29, 2012 at 4:00 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
certificate errors. What could the windows machine be doing different? Why does the machine even enter the picture when the authentication is between the Access Point and the server?
authentication is between the client and the server - mediated over 802.1X by the Access point. thats why your client has a supplicant on it..
Below is the portion of the log which shows the rejection, when using my Android phone, TTLS and MSCHAPv2 (that is what Windows uses isnt it?) Where I am confused is near the bottom, what is causing the rejection?
Win7 will be EAP-PEAPv0/MSCHAPv2
++[pam] returns invalid
user/pass in pam?
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request.
thats kind of a big clue. dont do that. it breaks things. just define the realm in proxy.conf with no place eg
realm whatever.com { }
rlm_pam: Attribute "User-Password" is required for authentication.
you've forced the server to use PAM? MSCHAPv2 doesnt provide 'User-Password' so wont work.
what ARE you trying to do?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 05/29/2012 10:28 PM, Steve Hopps wrote:
So I'm confused, what's the right way to handle this situation?
What situation? What are you trying to do? Alan has already hinted at the issue, but basically see here: http://deployingradius.com/documents/protocols/oracles.html ...and here: http://deployingradius.com/documents/protocols/compatibility.html Whatever protocol you are running within TTLS, it's not PAP therefore not compatible with PAM-as-an-oracle. rlm_pam: Attribute "User-Password" is required for authentication. ++[pam] returns invalid PAM is being forced (I think) here: [files] users: Matched entry DEFAULT at line 222 ...fix that line. Don't force PAM if you don't want or need it, and if you want/need it, pick compatible authentication. The Proxy-To-Realm comments in the default config files might be out of date; in general, obey what the debug says over ANY other advice, because it's coming from the actual code.
We're trying to use an access point configured for wpa2 using freeradius to authenticate with openldap. For Android and Linux it works out of the box with eap/ttls and pap. So we used Pam cause it already works with ldap. I didn't know other encryption types wouldn't work with Pam. IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible. On May 30, 2012 2:43 AM, "Phil Mayers" <p.mayers@imperial.ac.uk> wrote:
On 05/29/2012 10:28 PM, Steve Hopps wrote:
So I'm confused, what's the right way to handle this situation?
What situation?
What are you trying to do?
Alan has already hinted at the issue, but basically see here:
...and here:
Whatever protocol you are running within TTLS, it's not PAP therefore not compatible with PAM-as-an-oracle.
rlm_pam: Attribute "User-Password" is required for authentication. ++[pam] returns invalid
PAM is being forced (I think) here:
[files] users: Matched entry DEFAULT at line 222
...fix that line. Don't force PAM if you don't want or need it, and if you want/need it, pick compatible authentication.
The Proxy-To-Realm comments in the default config files might be out of date; in general, obey what the debug says over ANY other advice, because it's coming from the actual code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Steve Hopps wrote:
We're trying to use an access point configured for wpa2 using freeradius to authenticate with openldap. For Android and Linux it works out of the box with eap/ttls and pap. So we used Pam cause it already works with ldap. I didn't know other encryption types wouldn't work with Pam.
This confuses me. Why use PAM when FreeRADIUS can use LDAP directly?
IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible.
It's possible. It's easy. (a) configure FreeRADIUS to query LDAP directly (b) ensure that the passwords in LDAP are stored in a format compatible with MS-CHAP. If you can do both, then getting PEAP to work should be trivial. In 2.1.2, you can use "radclient" to send MS-CHAP requests to the server. Don't even THINK of trying to get PEAP to work until you have plain old MS-CHAP working. Alan DeKok.
Hi,
an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible.
its 100% possible natively if you expose either the plain text password, or HT-Hashed password to the server - eg with LDAP module. alan
On 30/05/12 13:44, Steve Hopps wrote:
IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible.
It's certainly a shame that Windows 7 doesn't support TTLS/PAP. PEAP/MSCHAP requires you have the plaintext password or NT hash, or access to an mschap "oracle" like ntlm_auth running on Samba as a member of the domain. If you don't have those, you can't do PEAP/MSCHAP, and your options are very limited. EAP-TLS, perhaps?
The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy. As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company. That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell "ultimate" versions of an OS for $150-200 when they dont even support as many features as a free, open source system? I just got into work, so I'll be looking over the suggestions and making more attempts at this. Thanks again for all the help! On Wed, May 30, 2012 at 8:15 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 30/05/12 13:44, Steve Hopps wrote:
IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible.
It's certainly a shame that Windows 7 doesn't support TTLS/PAP.
PEAP/MSCHAP requires you have the plaintext password or NT hash, or access to an mschap "oracle" like ntlm_auth running on Samba as a member of the domain.
If you don't have those, you can't do PEAP/MSCHAP, and your options are very limited.
EAP-TLS, perhaps?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy.
As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company. That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell "ultimate" versions of an OS for $150-200 when they dont even support as many features as a free, open source system?
I just got into work, so I'll be looking over the suggestions and making more attempts at this. Thanks again for all the help!
Here's one more: many folks in eduroam have gone through the exact same considerations, and some indeed need TTLS-PAP. If it is unavoidable, there is a GPLed version of SecureW2 which can deliver TTLS-PAP to older versions of Windows. I'm sure you can find it on the internet somewhere. Stefan
On 30/05/12 13:44, Steve Hopps wrote:
IPhones work with a custom config profile that's easily installed. However, our most significant hurdle is windows machines. Who would have guessed??? For some stupid reason Microsoft doesn't care about supporting all modern encryption standards. Making our staff pay for SecureW2 isn't an option and XSupplicant doesn't work reliably yet in 64bit Win7. So I'm back to trying to get mschapv2 working with peap. This seems impossible.
It's certainly a shame that Windows 7 doesn't support TTLS/PAP.
PEAP/MSCHAP requires you have the plaintext password or NT hash, or access to an mschap "oracle" like ntlm_auth running on Samba as a member of the domain.
If you don't have those, you can't do PEAP/MSCHAP, and your options are very limited.
EAP-TLS, perhaps?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, May 30, 2012 at 8:15 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Steve Hopps wrote:
The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy.
Life is a series of compromises. Deal with it.
As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company.
I'll take that as "adding more features in newer releases". Windows 8 is the first version which supports TTLS. While this should arguably have been done years ago, it's nice to have it now. And if you're arguing against upgrades, you can do the same for FreeRADIUS. Version 3.0 will support RadSec (RADIUS over SSL). Version 2.x will not. Ever.
That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell "ultimate" versions of an OS for $150-200 when they dont even support as many features as a free, open source system?
They have different priorities. FreeRADIUS is about making software that works. Microsoft is about money. Guess which one works well, and which one has more money? Alan DeKok.
It's a frustrating situation because if Windows were to support all of the encryption features that their competition does, indeed, that my _phone_ supports, I would not need to compromise. I personally believe a company can deliver a top product without sacrificing their profit margin. Microsoft falls short of this, and here we have a perfect example of precisely how. I also think their tiered version method they introduced with Vista is dishonest, as a result of this. But we're getting off track. It's too bad the XSupplicant project is not yet to the point of stability with Windows 7 64-Bit. I haven't had an opportunity to test it with 32-Bit yet, I imagine it works okay with Windows XP, but many of our employees are using Windows 7 on newer laptops. If that app worked, this wouldn't be a problem. If you ask me, that is the nature of the beast when it comes to computers. It'll work in a month, or a year, or several years, but for now we just beat our heads against the wall. In quick response to Stefan, I'm not associated with eduroam, however, I have found the eduroam instructions to be very helpful in getting this working as far as I have. In particular, the iphone support. So thanks for that. :) On Wed, May 30, 2012 at 8:55 AM, Alan DeKok <aland@deployingradius.com> wrote:
Steve Hopps wrote:
The reasons you stated are why I think this is near impossible. Our passwords are stored with md5... I'm not fond of the idea that in order to get this to work, we have to compromise our security policy.
Life is a series of compromises. Deal with it.
As for the Windows salesman, leaving out features from one OS to sell a newer OS is one of the reasons I cannot stand your company.
I'll take that as "adding more features in newer releases".
Windows 8 is the first version which supports TTLS. While this should arguably have been done years ago, it's nice to have it now.
And if you're arguing against upgrades, you can do the same for FreeRADIUS. Version 3.0 will support RadSec (RADIUS over SSL). Version 2.x will not. Ever.
That said, Windows 7 is great in my opinion, like Windows XP. If you really care, put pressure on your higher ups to extend the functionality to support things like EAP/TTLS and PAP. I'm sure there's other deficiencies.. How is it right to sell "ultimate" versions of an OS for $150-200 when they dont even support as many features as a free, open source system?
They have different priorities.
FreeRADIUS is about making software that works.
Microsoft is about money.
Guess which one works well, and which one has more money?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
It's a frustrating situation because if Windows were to support all of the encryption features that their competition does, indeed, that my _phone_ supports, I would not need to compromise. I personally believe a company can deliver a top product without sacrificing their profit margin. Microsoft falls short of this, and here we have a perfect example of precisely how. I also think their tiered version method they introduced with Vista is dishonest, as a result of this. But we're getting off track.
...but whilst you worry about the server (which you can secure) you are happy with EAP-TTLs/PAP - which, whilst it lets you do your secure server stuff, means that you can have users with badly configured clients which dont do the required CA checking or RADIUS CN checking - who will then quite happily send me, running a nasty MiTM attack RADIUS server, their username+password. your worries seem to be at the wrong end of the security mix. where YOU control the security ecpsystem you can do other things...after all, your RADIUS server can quite happily log in clear text your secure things.. alan
participants (6)
-
alan buxey -
Alan DeKok -
Aman Arneja -
Phil Mayers -
Stefan Winter -
Steve Hopps