Authenication with certifiactes
Hello! # radiusd -v radiusd: FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu I could need some help with authenticating users per certificate to a freeradius server. I created the certificates and copied the ca.pem the testing supplicant. Startet freeradius with radius -X and a local executed radtest miles davis45 192.168.1.220 1812 testing123 gives this result: Sending Access-Request of id 206 to 192.168.1.220 port 1812 User-Name = "miles" User-Password = "davis45" NAS-IP-Address = 192.168.3.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 192.168.1.220 port 1812, id=206, length=20 I have this in the sqltrace.sql then: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'miles', 'davis45', 'Access-Accept', '2012-07-02 19:31:45'); I tried all kind of settings on the supplicant but I cannot get access using the ca.pem and get no lease from the DHCP-Server of the AP, TL-WA901ND I post the following output of a radius -X session: rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=155, length=153 User-Name = "andreas" NAS-IP-Address = 192.168.1.254 NAS-Port = 0 Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt" Calling-Station-Id = "00-22-B0-E7-EF-98" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000c01616e6472656173 Message-Authenticator = 0xcfc9907d0444926482192aafdcaba630 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "andreas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> andreas [sql] sql_set_user escaped user --> 'andreas' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'andreas' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'andreas' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'andreas' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'andreas' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'andreas' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'andreas' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 155 to 192.168.1.254 port 2048 EAP-Message = 0x010100160410627ca484105a5653ea83eec8c11115b0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f58029d0f5906e7a9d59b95861c72dd Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=156, length=165 User-Name = "andreas" NAS-IP-Address = 192.168.1.254 NAS-Port = 0 Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt" Calling-Station-Id = "00-22-B0-E7-EF-98" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020100060315 State = 0x0f58029d0f5906e7a9d59b95861c72dd Message-Authenticator = 0x764f23c23137bd2125a294f54ca21ac1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "andreas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> andreas [sql] sql_set_user escaped user --> 'andreas' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'andreas' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'andreas' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'andreas' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'andreas' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'andreas' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'andreas' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 156 to 192.168.1.254 port 2048 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f58029d0e5a17e7a9d59b95861c72dd Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 155 with timestamp +25 Cleaning up request 1 ID 156 with timestamp +25 Ready to process requests. Can somebody help and tell me what to look for next? Thank you for every hint! Andreas
Hi, 1) you are getting an access-accept - which suggest the client is using the values you mention - that is 'miles' with 'davis45' as the password - hence you are using PEAP or PAP or somesuch and not EAP-TLS certificate 2) your access-accept should mean that the client gets an address on the network it is put on via the AP - unless you havent got that bit configured right (VLAN or DHCP server etc) - not a FreeRADIUS issue 3) clients dont use ca.pem to authentication using certificates - clients get their own client cert 4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes. alan
Hello! alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
1) you are getting an access-accept - which suggest the client is using the values you mention - that is 'miles' with 'davis45' as the password - hence you are using PEAP or PAP or somesuch and not EAP-TLS certificate
I have no luck with this. I read in some articles to make an AP with Radius-Authentication, one should create cerificates with 'make all' in the certs-directory after editing the ca.cnf and server.cnf and copy the ca.pem to the client. Where can I read what other possibilites there are to authorize a client for an AP using a radiusserver as backend.
2) your access-accept should mean that the client gets an address on the network it is put on via the AP - unless you havent got that bit configured right (VLAN or DHCP server etc) - not a FreeRADIUS issue
I just attached the AP to eth0 accesible with 192.168.1.254, activated the DHCP-Server and tried to get authorization with a notebook using WPA-Enterprise and the ca.cert. I disabled sql now in the Radius-Server and get this, when I access from the notebool with TTLS and PAP: rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=3, length=159 User-Name = "christiane" NAS-IP-Address = 192.168.1.254 NAS-Port = 0 Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt" Calling-Station-Id = "00-22-B0-E7-D9-9B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000f0163687269737469616e65 Message-Authenticator = 0x63fa52067e6106e6299499e8e42249ee +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "christiane", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry christiane at line 95 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.1.254 port 2048 EAP-Message = 0x010100160410cde74bbeeec3a19a037d5b4fe57f4c97 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fb647db4fb74330423119a23041222a Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=4, length=168 User-Name = "christiane" NAS-IP-Address = 192.168.1.254 NAS-Port = 0 Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt" Calling-Station-Id = "00-22-B0-E7-D9-9B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020100060315 State = 0x4fb647db4fb74330423119a23041222a Message-Authenticator = 0x64f323aa1f0f8335cc75e1ec3690a536 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "christiane", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry christiane at line 95 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.1.254 port 2048 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fb647db4eb45230423119a23041222a Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 3 with timestamp +130 Cleaning up request 3 ID 4 with timestamp +130 Ready to process requests. But I do not get a lease from the AP.
3) clients dont use ca.pem to authentication using certificates - clients get their own client cert
Strange, where can I read about this?
4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong
Ok, disabled SQL and made entries in the users file. miles<->Cleartext-Password := "davis45" christiane<---->Cleartext-Password := "chr17!"
5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes.
allright, will do that if I can see some land in this ocean
alan
Thank you for your help with this! I am a bit lost. Andreas
Hi,
I have no luck with this. I read in some articles to make an AP with Radius-Authentication, one should create cerificates with 'make all' in the certs-directory after editing the ca.cnf and server.cnf and copy the ca.pem to the client.
..that would be to ensure that you can configure the client to trust the RADIUS server - as they are both signed by the same CA
Where can I read what other possibilites there are to authorize a client for an AP using a radiusserver as backend.
it depends what you want to do. you were talking about authenticating using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS) which means the client uses a certificate
I just attached the AP to eth0 accesible with 192.168.1.254, activated the DHCP-Server and tried to get authorization with a notebook using WPA-Enterprise and the ca.cert. I disabled sql now in the Radius-Server and get this, when I access from the notebool with TTLS and PAP:
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=3, length=159 User-Name = "christiane" NAS-IP-Address = 192.168.1.254 NAS-Port = 0 Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt" Calling-Station-Id = "00-22-B0-E7-D9-9B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000f0163687269737469616e65 Message-Authenticator = 0x63fa52067e6106e6299499e8e42249ee +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "christiane", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry christiane at line 95 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.1.254 port 2048 EAP-Message = 0x010100160410cde74bbeeec3a19a037d5b4fe57f4c97 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fb647db4fb74330423119a23041222a Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=4, length=168 User-Name = "christiane" NAS-IP-Address = 192.168.1.254 NAS-Port = 0 Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt" Calling-Station-Id = "00-22-B0-E7-D9-9B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020100060315 State = 0x4fb647db4fb74330423119a23041222a Message-Authenticator = 0x64f323aa1f0f8335cc75e1ec3690a536 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "christiane", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry christiane at line 95 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.1.254 port 2048 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fb647db4eb45230423119a23041222a Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 3 with timestamp +130 Cleaning up request 3 ID 4 with timestamp +130 Ready to process requests.
But I do not get a lease from the AP.
thats because, as you can read, you never got an Access-Accept. the flow above shows that your request arrived at the server....the server is configured to use MD5 by default in the inner-tunnel (so change that to the method you will use most eg TTLS) and so the server send a NAK. the client was then put through using TTLS but the server sent an Access-Challenge that never got answered....which is in the FAQ - the client doesnt trust the server. you need to ensure that you have added the CA in the right certificate store on the client..... as this is 802.1X a quick hint - do a google search for 'eduroam configuring client' you should find countless examples from Universities worldwide on how to configure a client for doing this sort of thing....some sites will have step by step instructions so you can see how to do it on windows XP/Vista/7 OSX 10.6 etc ..and a favour in return..if you find any sites that DONT tell the users to check the CA and put the right name in the verification box, then please email me ;-)
Strange, where can I read about this?
EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people are blocked from internet search engines
4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong
Ok, disabled SQL and made entries in the users file.
..but from what you said above (using TTLS) - there is nothing wrong with using MySQL/postgreSQL etc though we DO advise people to start simple. start with users file rather than some fancy backend storage. once you see things working and have things in a working state, THEN bring in the good stuff(tm)
5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes.
allright, will do that if I can see some land in this ocean
I would start with the upgrade first - the cerfificate make files got some fixes and improvements too! ;-) alan
Hello! alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I have no luck with this. I read in some articles to make an AP with Radius-Authentication, one should create cerificates with 'make all' in the certs-directory after editing the ca.cnf and server.cnf and copy the ca.pem to the client.
..that would be to ensure that you can configure the client to trust the RADIUS server - as they are both signed by the same CA
OK
Where can I read what other possibilites there are to authorize a client for an AP using a radiusserver as backend.
it depends what you want to do. you were talking about authenticating using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS) which means the client uses a certificate
OK I wonder what other possibilities than certificates there are to authorize a client to a network using WLAN. Like Hotspots, internet cafes and hotels for example. I mean, handing over a certifacte to a client on an USB-stick seems unpracticable to me. [ ... snipp ]
But I do not get a lease from the AP.
thats because, as you can read, you never got an Access-Accept. the flow above shows that your request arrived at the server....the server is configured to use MD5 by default in the inner-tunnel (so change that to the method you will use most eg TTLS) and so the server send a NAK. the client was then put through using TTLS but the server sent an Access-Challenge that never got answered....which is in the FAQ - the client doesnt trust the server. you need to ensure that you have added the CA in the right certificate store on the client..... as this is 802.1X a quick hint - do a google search for 'eduroam configuring client' you should find countless examples from Universities worldwide on how to configure a client for doing this sort of thing....some sites will have step by step instructions so you can see how to do it on windows XP/Vista/7 OSX 10.6 etc
..and a favour in return..if you find any sites that DONT tell the users to check the CA and put the right name in the verification box, then please email me ;-)
Strange, where can I read about this?
EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people are blocked from internet search engines
4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong
Ok, disabled SQL and made entries in the users file.
..but from what you said above (using TTLS) - there is nothing wrong with using MySQL/postgreSQL etc
though we DO advise people to start simple. start with users file rather than some fancy backend storage. once you see things working and have things in a working state, THEN bring in the good stuff(tm)
5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes.
allright, will do that if I can see some land in this ocean
I would start with the upgrade first - the cerfificate make files got some fixes and improvements too! ;-)
So I followed your hint and compiled and installed freeradius-server-2.1.12. Created new certificates and changed md5 to ttls in eap.conf and the client.conf to accept my client. I configured the Linux-Client with Yast to connect to the AP using the ca.pem. The handshake works and I get a lease. Now this is great! The NetworkManager didn't do it.
alan
Thank you very much for your initial help! Now I can go on examinng the server. Andreas
Hi,
Where can I read what other possibilites there are to authorize a client for an AP using a radiusserver as backend.
it depends what you want to do. you were talking about authenticating using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS) which means the client uses a certificate
OK
I wonder what other possibilities than certificates there are to authorize a client to a network using WLAN. Like Hotspots, internet cafes and hotels for example. I mean, handing over a certifacte to a client on an USB-stick seems unpracticable to me.
EAP-PEAP/TLS will allow some user name/password authentication. But! the password must be stored in either plain text or NT encryption format in your database of users. If you are setting up eduroam, you only have to care about the password of your own users only, so handling a certificate may not be a problem (you don't have to manage guests). If you plan to offer a service for guests, 802.1x may be too much and you should look at a captive portal solution. But still using Radius as backend authentication. Best regards, olivier
[ ... snipp ]
But I do not get a lease from the AP.
thats because, as you can read, you never got an Access-Accept. the flow above shows that your request arrived at the server....the server is configured to use MD5 by default in the inner-tunnel (so change that to the method you will use most eg TTLS) and so the server send a NAK. the client was then put through using TTLS but the server sent an Access-Challenge that never got answered....which is in the FAQ - the client doesnt trust the server. you need to ensure that you have added the CA in the right certificate store on the client..... as this is 802.1X a quick hint - do a google search for 'eduroam configuring client' you should find countless examples from Universities worldwide on how to configure a client for doing this sort of thing....some sites will have step by step instructions so you can see how to do it on windows XP/Vista/7 OSX 10.6 etc
..and a favour in return..if you find any sites that DONT tell the users to check the CA and put the right name in the verification box, then please email me ;-)
Strange, where can I read about this?
EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people are blocked from internet search engines
4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong
Ok, disabled SQL and made entries in the users file.
..but from what you said above (using TTLS) - there is nothing wrong with using MySQL/postgreSQL etc
though we DO advise people to start simple. start with users file rather than some fancy backend storage. once you see things working and have things in a working state, THEN bring in the good stuff(tm)
5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes.
allright, will do that if I can see some land in this ocean
I would start with the upgrade first - the cerfificate make files got some fixes and improvements too! ;-)
So I followed your hint and compiled and installed freeradius-server-2.1.12. Created new certificates and changed md5 to ttls in eap.conf and the client.conf to accept my client. I configured the Linux-Client with Yast to connect to the AP using the ca.pem. The handshake works and I get a lease. Now this is great! The NetworkManager didn't do it.
alan
Thank you very much for your initial help! Now I can go on examinng the server.
Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 3 Jul 2012, at 09:16, Andreas Meyer wrote:
Where can I read what other possibilites there are to authorize a client for an AP using a radiusserver as backend.
it depends what you want to do. you were talking about authenticating using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS) which means the client uses a certificate
OK
I wonder what other possibilities than certificates there are to authorize a client to a network using WLAN. Like Hotspots, internet cafes and hotels for example. I mean, handing over a certifacte to a client on an USB-stick seems unpracticable to me.
In the world of EAP certificates are needed. For EAP-TLS based methods you need a certificate to identify the RADIUS server. When you begin an authentication attempt the RADIUS server will pass its server cert to the client, so the client can verify it is talking to a legitimate RADIUS server. Without the server cert, how do you know you are talking to your RADIUS server and not some rogue. Aside from the server cert you can also have client certs, which are used to identify the client to the server. However you don't have to use client certs, you can use other authentications e.g. username / password The most common password based authentications are MSCHAPv2 and PAP. Of course these authentications need to be wrapped in a secure tunnel, so will be inside of an EAP-TLS method e.g. PEAP or TTLS PEAP/MSCHAPv2 TTLS/PAP TTLS/MSCHAPv2 Out of the box without any config FreeRADIUS will do PEAP. With a fresh install all you need to do is add a user password to raddb/users e.g. joe NT-Password := "ABCDEF1234567890ABCDEF1234567890" Reply-Message = "Hello, %{User-Name}" andy Cleartext-password := "p4ssw0rd" Reply-Message = "Hello, %{User-Name}" Run radiusd -X, try and authenticate and look at what is happening. Without wanting to confuse you too much, there is also a new EAP method called EAP-PWD which doesn't use any certificates. This has very limited support in clients at the moment so isn't very practical. It uses some crazy cryptography which avoids to need for certs. For some more background on deploying 802.1X have a read of this (http://www.ja.net/documents/publications/technical-guides/8021x-tg-web.pdf) Thanks Scott Armitage
Hello Andreas, Your supplicant have rejected EAP-MD5 method proposed by freeradius and have requested for EAP-TTLS method. freeradius have sent EAP-TTLS/Start request. But your supplicant have never replied. The problem seems to be in supplicant (AP is transparent for EAP methods anyway). What supplicant do you use? Andreas Meyer wrote:
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.1.254 port 2048 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fb647db4eb45230423119a23041222a
Hello! Iliya Peregoudov <iperegudov@cboss.ru> wrote:
Hello Andreas,
Your supplicant have rejected EAP-MD5 method proposed by freeradius and have requested for EAP-TTLS method. freeradius have sent EAP-TTLS/Start request. But your supplicant have never replied. The problem seems to be in supplicant (AP is transparent for EAP methods anyway). What supplicant do you use?
Thanks for the info! Well, yesterday I tried with NetworkManager only. After installing the new version of freeradius tonight I tried with NetworkManager again with no luck. Then I decided to use Yast of the openSUSE I use and that made it. With the NetworkManager I had this compatibilityproblems described for Windows OIDs. The NetworkManager didn't like the server.
Andreas Meyer wrote:
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.1.254 port 2048 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fb647db4eb45230423119a23041222a
Andreas
participants (5)
-
alan buxey -
Andreas Meyer -
Iliya Peregoudov -
Olivier Nicole -
Scott Armitage