Hi, I have to realize a RADIUS server with freeradius 1.0.5 and Cisco Aironet AP. The authentication method I must to use is EAP-TLS. I'm using the certificates created with openssl, for the authentication. When I have distributed the certificates to the server and the to client too, I proceed with authentication of the client. The software of PCMCIA card says the client is connected and associated, but access point says the authentication is failed. What could to be the reason of failure about the authentication? Regards, Saverio ___________________________________ Yahoo! Messenger with Voice: chiama da PC a telefono a tariffe esclusive http://it.messenger.yahoo.com
dark0s dark0s schrieb:
Hi, I have to realize a RADIUS server with freeradius 1.0.5 and Cisco Aironet AP. The authentication method I must to use is EAP-TLS. I'm using the certificates created with openssl, for the authentication. When I have distributed the certificates to the server and the to client too, I proceed with authentication of the client. The software of PCMCIA card says the client is connected and associated, but access point says the authentication is failed. What could to be the reason of failure about the authentication?
Regards,
Saverio Have this card a ralink chipset?
I don't know if PCMCIA card has got a ralink chipset. The card is a Belkin F5D7010 with 32 bit and support for 802.11g. Is a card with ralink chipset necessary to make work EAP-TLS? or a card without ralink chipset can work too? ___________________________________ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it
dark0s dark0s schrieb:
I don't know if PCMCIA card has got a ralink chipset. The card is a Belkin F5D7010 with 32 bit and support for 802.11g. Is a card with ralink chipset necessary to make work EAP-TLS? or a card without ralink chipset can work too?
No but Ralink chipset are very problematic. There are only 2 option for this chipset to get it working. The first easy but not cheap is to buy the Odyes Client the second free but some tricky is to use wpa_supplicant 0.5 Beta. I have found a webpage that say that this card use the ralink chipset.
Do I have to use wpa_supplicant even if I don't use WPA? Because probably I will use only WEP ___________________________________ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it
dark0s dark0s schrieb:
Do I have to use wpa_supplicant even if I don't use WPA? Because probably I will use only WEP
Yes when you will use EPA-TLS, because the supplicant that comes with the driver is completely broken. But when you have Windows XP SP2 and the extra WPA update you can try to use the build in supplicant of Windows. But I don't have test this.
I have a Windows XP SP2 client, with winpcap 3.1 installed. I have downloaded wpa_supplicant 0.5.0, but the executable wpasvc.exe is not recognized by the system, is it possibile? After installing winpcap, what do I have to do? --------------------------------- Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3
dark0s dark0s schrieb:
I have a Windows XP SP2 client, with winpcap 3.1 installed. I have downloaded wpa_supplicant 0.5.0, but the executable wpasvc.exe is not recognized by the system, is it possibile? After installing winpcap, what do I have to do?
--------------------------------- Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html First you must get the device id of your WLAN card and disable the supplicant that comes with the driver. To get the Card ID run win_if_list that comes with the wpa_supplianct package. To disable the driver supplicant disable the binding of the AEGIS Protocol of the network card.
Then you have to write an config file. Here is my sample(I use WPA2 and EAP-TLS): update_config=1 ctrl_interface=/var/run/wpa_supplicant eapol_version=2 ap_scan=2 fast_reauth=1 network={ proto=RSN pairwise=CCMP ssid="your network SSID" key_mgmt=WPA-EAP identity="put here the text of the common name filed of the client cert" ca_cert="ca.pem" client_cert="client.crt" private_key="client.key" private_key_passwd="put here the secret of the client cert key" eapol_flags=3 } And to last build a simple cmd script that start's the hole. Here my script: wpa_supplicant -c myconf.conf -i "put here your device id" -D ndis -dd
Excuse me, but what is AEGIS protocol? How can I disable the disable the binding of the AEGIS Protocol of the network card? ___________________________________ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it
dark0s dark0s schrieb:
Excuse me, but what is AEGIS protocol? How can I disable the disable the binding of the AEGIS Protocol of the network card?
The AEGIS protocol is the broken supplicant of your wlan card. I have only an german windows so I can't tell you how the menu name is called in the English one. So go to your network environment with right mouse click on the desktop icon and select property's. Then select the connection of the wlan card. click right again and property's. now you can disable the AEGIS protocol. But only disable!! And not remove!!!
Can you explain me better what is AEGIS protocol? Because I cannot find it on the system. --------------------------------- Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3
dark0s dark0s <dark0s_78@yahoo.it> wrote:
Excuse me, but what is AEGIS protocol? How can I disable the disable the binding of the AEGIS Protocol of the network card?
Please do not post off-topic messages to this list. There are other lists devoted to supplicant software. Supplicant questions should go there. Alan DeKok.
1) About ctrl_interface variable, /var/run/wpa_supplicant doesn't on Windows 2) Where do I have to insert the configuration file 3) If I must enable only WEP, what should be the configuration file --------------------------------- Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3
dark0s dark0s schrieb: > 1) About ctrl_interface variable, /var/run/wpa_supplicant doesn't on Windows > 2) Where do I have to insert the configuration file > 3) If I must enable only WEP, what should be the configuration file 1. the name is correct 2. where you put the the wpa_supplicant.exe file 3. yes. take a look in the sample file.
Can you tell me if exist a PCMCIA card that doesn't request wpa_supplicant; i.e. a card that authenticates directly, after the configuration of freeradius 1.0.5 and openssl? --------------------------------- Yahoo! Messenger with Voice: chiama da PC a telefono a tariffe esclusive
On Thursday 26 January 2006 13:33, dark0s dark0s wrote:
Can you tell me if exist a PCMCIA card that doesn't request wpa_supplicant; i.e. a card that authenticates directly, after the configuration of freeradius 1.0.5 and openssl?
This is off topic and has nothing to do with EAP-TLS or really freeRADIUS. The card doesn't authenticate but I think you mean a pcmcia for wireless on Windows XP, yes, there are many. I have grown to prefer ones that use Atheros or Intel chipsets but many others will work with XP's native supplicant. You must have SP2, KB885453 hot-fix and optionally, WPA2 rollup. If you are using a Linux, *BSD, or something else then you will need wpa_supplicant. Zoltan Ori
Excuse me, I known it's off topic, but it is last post on this argument. Could you tell me a model of PCMCIA card doesn't need wpa supplicant? And not only the chipset Thanks, Saverio ___________________________________ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it
Hello List: I have tried but failed, since I am new to freeRADIUS, I humbly ask for help. I want to setup freeRADIUS so it does not allow more than one simultaneous login on the same UID/PW. I have read it somewhere that it can be done in freeRADIUS but not can't seem to find the file or the command string. Please help. Kirti
Read the doc "Simultaneous-Use" and read this: http://wrath.geoweb.ge/simult.html ----- Original Message ----- From: "Kirti S. Bajwa" <kbajwa@tibonline.net> To: "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> Sent: Sunday, January 29, 2006 10:00 PM Subject: Duplicate Logins!!!
Hello List:
I have tried but failed, since I am new to freeRADIUS, I humbly ask for help.
I want to setup freeRADIUS so it does not allow more than one simultaneous login on the same UID/PW. I have read it somewhere that it can be done in freeRADIUS but not can't seem to find the file or the command string. Please help.
Kirti
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use the 'Simultaneous-Login' check attribute. Simultaneous-Login := 1 "Kirti S. Bajwa" <kbajwa@tibonline.net> wrote: Hello List: I have tried but failed, since I am new to freeRADIUS, I humbly ask for help. I want to setup freeRADIUS so it does not allow more than one simultaneous login on the same UID/PW. I have read it somewhere that it can be done in freeRADIUS but not can't seem to find the file or the command string. Please help. Kirti - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Julius Igugu SouthWork Co. Ltd. --------------------------------- Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & more on new and used cars.
Which file? -----Original Message----- From: freeradius-users-bounces+kbajwa=tibonline.net@lists.freeradius.org [mailto:freeradius-users-bounces+kbajwa=tibonline.net@lists.freeradius.o rg] On Behalf Of Julius Igugu Sent: Monday, January 30, 2006 5:52 AM To: FreeRadius users mailing list Subject: Re: Duplicate Logins!!! Use the 'Simultaneous-Login' check attribute. Simultaneous-Login := 1 "Kirti S. Bajwa" <kbajwa@tibonline.net> wrote: Hello List: I have tried but failed, since I am new to freeRADIUS, I humbly ask for help. I want to setup freeRADIUS so it does not allow more than one simultaneous login on the same UID/PW. I have read it somewhere that it can be done in freeRADIUS but not can't seem to find the file or the command string. Please help. Kirti - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Julius Igugu SouthWork Co. Ltd. _____ Yahoo! <http://us.rd.yahoo.com/evt=38381/%20ylc=X3oDMTEzcGlrdGY5BF9TAzk3MTA3MDc 2BHNlYwNtYWlsdGFncwRzbGsDMWF1dG9z/*http:/autos.yahoo.com/index.html%20> Autos. Looking for a sweet ride? Get pricing, reviews, & more on new and used cars.
I have a Windows XP SP2 client, with winpcap 3.1 installed. I have downloaded wpa_supplicant 0.5.0, but the executable wpasvc.exe is not recognized by the system, is it possibile? After installing winpcap, what do I have to do? --------------------------------- Yahoo! Mail: gratis 1GB per i messaggi, antispam, antivirus, POP3
Hi, I'm pretty stuck in a radius/ldap 802.1x authentication. During the authentication process the client (windows 2k through a e1 switch) sends the authentication using MD5-Challenge which is for what I understand the easiest of all. The FreeRadius server recevies everything but failed to authenticate the user. Here is the output rad_recv: Access-Request packet from host 192.168.1.200:1056, id=37, length=96 Message-Authenticator = 0xf44b1f115e9f9aa7d8026af7916c954f User-Name = "gab" NAS-IP-Address = 192.168.1.200 NAS-Port = 32 NAS-Port-Type = Ethernet Calling-Station-Id = "00-E0-29-38-72-DB" EAP-Message = 0x0240000801676162 Framed-MTU = 1000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for gab radius_xlat: '(uid=gab)' radius_xlat: 'ou=radius, dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to galilee.mind-techno.fr:389, authentication 0 rlm_ldap: bind as cn=emanager,ou=radius,dc=fr/socrate2803 to galilee.mind-techno.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab) rlm_ldap: checking if remote access for gab is allowed by radiusFilterId rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user gab authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_eap: EAP packet type response id 64 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 37 to 192.168.1.200:1056 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x014100160410f863dc8a4ae21123368575c7ac478f42 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0d1c294f270f623665d377ff9b34eb92 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.200:1057, id=38, length=96 Message-Authenticator = 0x5c5c8803ec4b135afc57ba4443c8f64f User-Name = "gab" NAS-IP-Address = 192.168.1.200 NAS-Port = 32 NAS-Port-Type = Ethernet Calling-Station-Id = "00-E0-29-38-72-DB" EAP-Message = 0x0242000801676162 Framed-MTU = 1000 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for gab radius_xlat: '(uid=gab)' radius_xlat: 'ou=radius, dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab) rlm_ldap: checking if remote access for gab is allowed by radiusFilterId rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user gab authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 rlm_eap: EAP packet type response id 66 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 38 to 192.168.1.200:1057 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x014300160410537c01ae485e80e5e60a42ebe253c954 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x924e905b561231069339383faf04ce3b Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.200:1057, id=39, length=128 Message-Authenticator = 0x1419a4cc9ce6110c3899d7e1b6e16e96 User-Name = "gab" State = 0x924e905b561231069339383faf04ce3b NAS-IP-Address = 192.168.1.200 NAS-Port = 32 NAS-Port-Type = Ethernet Calling-Station-Id = "00-E0-29-38-72-DB" Framed-MTU = 1000 EAP-Message = 0x024300160410e2a54a8018106d1354e86a78906ab7b9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for gab radius_xlat: '(uid=gab)' radius_xlat: 'ou=radius, dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab) rlm_ldap: checking if remote access for gab is allowed by radiusFilterId rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value { & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user gab authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_eap: EAP packet type response id 67 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 2 modcall: group authenticate returns reject for request 2 auth: Failed to validate the user. Login incorrect: [gab] (from client mind-intern port 32 cli 00-E0-29-38-72-DB) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Cleaning up request 0 ID 37 with timestamp 43d5f546 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 39 to 192.168.1.200:1057 EAP-Message = 0x04430004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 38 with timestamp 43d5f54b Cleaning up request 2 ID 39 with timestamp 43d5f54b Nothing to do. Sleeping until we see a request. The user gab in the ldap database is : dn: uid=gab,ou=users,ou=radius,dc=fr structuralObjectClass: inetOrgPerson entryUUID: a4ff72d0-2078-102a-99d1-fb3e3efc1b6e creatorsName: cn=admin,ou=radius,dc=fr createTimestamp: 20060123162543Z radiusFilterId: "Enterasys:version=1:policy=Enterprise User" uid: gab description: 802.1x user objectClass: top objectClass: radiusprofile objectClass: inetOrgPerson sn: gab cn: gab userPassword:: e01ENX1tbUdDU0xaTnRpMFZzd0NnZXdCWUN3PT0= entryCSN: 20060124083844Z#000001#00#000000 modifiersName: cn=admin,ou=radius,dc=fr modifyTimestamp: 20060124083844Z The radius.conf file for the authorize and authenticate section : authorize { ldap eap } authenticate { Auth-Type LDAP { ldap } eap } I'm getting lost in all this. Do you have any clues to resolve this ? Thanks in advance. Regards, -- M. Robert Wakim Mind Technologies 24 rue Victor Hugo 94220 Charenton-Le-Pont FRANCE tel : +33 (0)1 41 79 09 40 Fax : +33 (0)1 43 68 80 32 Email : rwakim@mind-techno.fr web : http://www.mind-techno.fr
Robert WAKIM wrote:
rlm_ldap: checking if remote access for gab is allowed by radiusFilterId rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items
Nope. That won't work. EAP-MD5's MD5 algorithm needs the plaintext password so unless you can get that out of LDAP, you'll have to use another method.
rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 2
...because it doesn't have the required info. Probably it should yell about needing the right kind of password, though how it's supposed to know the one you've given it is the wrong one I would have to think about.
Robert WAKIM wrote:
rlm_ldap: checking if remote access for gab is allowed by
radiusFilterId
rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items
Nope. That won't work. EAP-MD5's MD5 algorithm needs the plaintext password so unless you can get that out of LDAP, you'll have to use another method.
Thanks for the answer. It works if I store the passwords in clear text in the ldap database. What method should I use to store the passwords in md5? Regards, -- M. Robert Wakim Mind Technologies 24 rue Victor Hugo 94220 Charenton-Le-Pont FRANCE tel : +33 (0)1 41 79 09 40 Fax : +33 (0)1 43 68 80 32 Email : rwakim@mind-techno.fr web : http://www.mind-techno.fr
Robert WAKIM wrote:
Thanks for the answer. It works if I store the passwords in clear text in the ldap database.
What method should I use to store the passwords in md5?
I don't think you use any challenge-response mechanisms with the passwords MD5 "crypt"ed. Some MD5-based challenge-response methods (such as Digest-MD5) can work if you store the derived HA1 value, which is different than the /etc/passwd-style MD5 "crypt" one-way. I would have to look at the EAP-MD5 mechanism RFC to see if that were true, but in any case when I glanced at the 1.0.5 sourcecode of rlm_eap_md5, *it* wasn't written to be able to make use of the HA1 as far as I could tell. If you store the ntPassword you can extract that into the NT-Password radius attribute and use MS-CHAP. Or, depending on what 802.1x supplicant you're using, you could use TTLS and PAP inner mechanism, and you can check PAP against any store/crypt. Note both the HA1 and NT hashes are plaintext-equivalent i.e. if you steal them it's just as good as having the password, so the security benefits of storing such a crypt rather than the plaintext are somewhat questionable IMHO.
"Robert WAKIM" <rwakim@mind-techno.fr> wrote:
Thanks for the answer. It works if I store the passwords in clear text in the ldap database.
What method should I use to store the passwords in md5?
If you store the passwords as MD5 hashes in your database, then the only authentication methods that will work are PAP and EAP-TTLS with tunneled PAP. Alan DeKok.
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
...because it doesn't have the required info. Probably it should yell about needing the right kind of password, though how it's supposed to know the one you've given it is the wrong one I would have to think about.
In 1.x, the LDAP module puts the passwords into the User-Password attribute. So the EAP-MD5 module believes that the clear-text password is (in this case) "{MD5}..." Alan DeKok.
participants (9)
-
Alan DeKok -
dark0s dark0s -
debik -
Frank Büttner -
Julius Igugu -
Kirti S. Bajwa -
Phil Mayers -
Robert WAKIM -
Zoltan Ori