HOWTO PEAP + FreeRadius + XP Client

Gustavo Chavelas gchavelas at bfmx.com.mx
Wed Apr 30 01:53:45 CEST 2008


Hi. George KNIGHT

Here there are many people's experts.

I have an infrastructure as yours

EAP, PEAP, WinCE with HANDHELD, WIN XP, WIN VISTA and Cisco.

It's working very good in a two CentOS Servers, 1 master and 1 backup for
redundancy.

Alan Dekok sends you instructions but don't worry, if you have any questions
and I can help you, I do it.

Saludos!

-----Mensaje original-----
De: freeradius-users-bounces+gchavelas=bfmx.com.mx at lists.freeradius.org
[mailto:freeradius-users-bounces+gchavelas=bfmx.com.mx at lists.freeradius.org]
En nombre de freeradius-users-request at lists.freeradius.org
Enviado el: Martes, 29 de Abril de 2008 02:08 p.m.
Para: freeradius-users at lists.freeradius.org
Asunto: Freeradius-Users Digest, Vol 36, Issue 173

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: can peap and ttls live together? (Sergio Belkin)
   2. dot1x specification EAPOL-Logoff clarification
      (Arran Cudbard-Bell)
   3. Re: dot1x specification EAPOL-Logoff clarification
      (Arran Cudbard-Bell)
   4. HOWTO PEAP + FreeRadius + XP Client (George KNIGHT)
   5. Re: HOWTO PEAP + FreeRadius + XP Client (Michael Schwartzkopff)
   6. Re: SPAM-LOW:  Re: EAP/TLS connection problem.. (Alan DeKok)
   7. Re: HOWTO PEAP + FreeRadius + XP Client (Alan DeKok)


----------------------------------------------------------------------

Message: 1
Date: Tue, 29 Apr 2008 12:56:38 -0300
From: "Sergio Belkin" <sebelk at gmail.com>
Subject: Re: can peap and ttls live together?
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<8c6f7f450804290856oce00b42h557aba09dfb7ee22 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-2

2008/4/29 Ivan Kalik <tnt at kalik.net>:
> That probably won't work in 2.0. Mapping to Cleartext-Password will.

I am using 2.0.2 :)

>
>
>  Ivan Kalik
>  Kalik Informatika ISP
>
>
>
> Dana 29/4/2008, "Sergio Belkin" <sebelk at gmail.com> pi?e:
>
>
>
> >2008/4/29 Ivan Kalik <tnt at kalik.net>:
>  >> You need to add the entry for Cleartext-Password. Something like:
>  >>
>  >>  checkItem   Cleartext-Password       clrtxtPassword
>  >>
>  >>
>  >>  Ivan Kalik
>  >>  Kalik Informatika ISP
>  >>
>  >>
>  >>
>  >>
>  >Hmmmm. I advanced and before of reading your answer I added:
>  >
>  >checkItem       User-Password                   userPassword
>  >
>  >replyItem   Tunnel-Type                            radiusTunnelType
>  >replyItem   Tunnel-Medium-Type             radiusTunnelMediumType
>  >replyItem   Tunnel-Private-Group-Id        radiusTunnelPrivateGroupId
>  >
>  >end of snip
>  >
>  >It worked! Anywat  Is that right?
>  >
>  >--
>  >--
>  >Open Kairos http://www.openkairos.com
>  >Watch More TV http://sebelk.blogspot.com
>  >Sergio Belkin -
>
>
> >-
>  >List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>  >
>  >
>
>  -
>  List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>



-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -



------------------------------

Message: 2
Date: Tue, 29 Apr 2008 17:33:06 +0100
From: Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>
Subject: dot1x specification EAPOL-Logoff clarification
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <48174DC2.3060205 at sussex.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi,

Having some interesting issues with a HP ProCurve 2510 an Apple Mac 
Power Book running OSX 10.5.2, and MAC-Auth + EAP-Auth on the same wired 
port.

I know this isn't strictly the list for this as this isn't really 
RADIUS, but i'm not sure where to post...

Two questions:

    IEE802.1x-2004
        8.1.3 EAPOL-Logoff
        When a Supplicant wishes the Authenticator PAE to perform a 
logoff (i.e., to set the controlled Port state to
        unauthorized), the Supplicant PAE originates an EAPOL-Logoff 
message (see 7.5.4) to the Authenticator
        PAE. As a result, the Authenticator PAE immediately places the 
controlled Port in the unauthorized state

1) It appears in the spec that there is no requirement or indeed method 
of the Supplicant PAE of confirming that the EAPOL-Logoff has been 
honoured. So the supplicant PAE could be in the unauthorised state while 
the Authenticator could be in the authorised state. Is this an over site 
of the dot1x spec, or is this meant to be handled at a higher level with 
EAP ?

---

2) On the termination of an EAP session, VLAN membership is usually 
altered, either to a MAC-Authorised VID a default unauthorised VID, or 
the port is blocked. Windows clients are pretty crap in terms of DHCP 
when this happens, and fail to renew their leases when moving between 
authorised and unauthorised states. Apple Mac clients however are very 
good in terms of DHCP dot1x integration. Unfortunately with EAP-Based 
and MAC-Based authentication transistions, DHCP renewal doesn't appear 
to work. This is what i've seen from the traces:

FRAME 6436 - TS 212.482482 - Assumed VLAN 603 - Actual VLAN 603 - EAPOL 
Logoff
FRAME 6440 - TS 212.484947 - Assumed VLAN Blocked (transistion) - Actual 
VLAN 603 - DHCP REQUEST
FRAME 6443 - TS 212.487252 - Assumed VLAN Blocked (transistion) - Actual 
VLAN 603 - DHCP ACK (Answered by server on 603)
FRAME 6454 - TS 212.529774 - Assumed VLAN 134 - Actual VLAN 134 - EAP 
Failure (Seems to denotate MAC Authentication succeeding)

So it appears after the supplicant sends the EAPOL-Logoff, the DHCP client
attempts to get a lease very quickly; so quickly in fact that the switch
hasn't altered the state of the port. The result being that the DHCP request
is acked by the DHCP server on the dot1x authorised VLAN, the VLAN
transistion *then* occurs, but as the DHCP client has satisfied itself that
it has a valid lease for the PAE unauthorised state it doesn't renew the
lease until it expires...

Should I be shouting at HP to get their switches to register the state
change faster, or shouting at Apple to make their DHCP timings less
agressive ?

Many Thanks,
Arran

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900



------------------------------

Message: 3
Date: Tue, 29 Apr 2008 17:50:14 +0100
From: Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>
Subject: Re: dot1x specification EAPOL-Logoff clarification
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <481751C6.7050301 at sussex.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Arran Cudbard-Bell wrote:
> Hi,
>
> Having some interesting issues with a HP ProCurve 2510 an Apple Mac 
> Power Book running OSX 10.5.2, and MAC-Auth + EAP-Auth on the same 
> wired port.
>
> I know this isn't strictly the list for this as this isn't really 
> RADIUS, but i'm not sure where to post...
>
> Two questions:
>
>    IEE802.1x-2004
>        8.1.3 EAPOL-Logoff
>        When a Supplicant wishes the Authenticator PAE to perform a 
> logoff (i.e., to set the controlled Port state to
>        unauthorized), the Supplicant PAE originates an EAPOL-Logoff 
> message (see 7.5.4) to the Authenticator
>        PAE. As a result, the Authenticator PAE immediately places the 
> controlled Port in the unauthorized state
>
> 1) It appears in the spec that there is no requirement or indeed 
> method of the Supplicant PAE of confirming that the EAPOL-Logoff has 
> been honoured. So the supplicant PAE could be in the unauthorised 
> state while the Authenticator could be in the authorised state. Is 
> this an over site of the dot1x spec, or is this meant to be handled at 
> a higher level with EAP ?
Sorry. Looking at the diagrams in 8-5 it appears my suspicion is 
correct. Unless a re-auth timer is implemented by the Authenticator PAE, 
this mismatched authentication state could persist indefinitely.

The EAPOL-LOGOFF frame is *not* retransmitted to the Authentication 
server... and the Authenticator PAE does not respond to EAPOL-LOGOFF 
frames, it just alters it's state. So if the EAPOL-LOGOFF frame was lost 
in transit... damn, why no EAPOL-LOGOFF-CONFIRMATION packet ... In every 
other part of the EAP/dot1x spec a request *should* always be answered 
by a response... but not here... are these guys idiots, or am I being 
dense ?!

See this would solve the issue in question 2 perfectly.


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900



------------------------------

Message: 4
Date: Tue, 29 Apr 2008 14:14:16 -0400
From: "George KNIGHT" <georgeknight at gmail.com>
Subject: HOWTO PEAP + FreeRadius + XP Client
To: freeradius-users at lists.freeradius.org
Message-ID:
	<d6da8e1d0804291114g56d9d9bfr2f58e923357e093e at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hello everyone,
Before I write my question here, I just want to let all of you know that I
did lots of searching in both google and this email list. But couldn't find
anything to get the answer.

My question is I have been looking for a HOWTO paper for a beginner to set
freeradius as an AAA server in a wireless environment to Windows XP SP2
clients. I will use Windows' own PEAP client. Is there such a paper someone
can give me the link?

I'm very frustrated to find out that there is no information available for a
setup from the scratch. I wrote papers like that before for various topics
such as subversion implementation for a multiple OS environment, VoIP
implementation with a Linux based open sources S/W etc. I have intention to
write such a paper for how to set up PEAP implementation with freeradius as
well. But for that, I'm hoping someone can give me a good start.

OK, here is my network settings and needed information;

I have a SUSE SLES 10 server to be used as an AAA server. This server is
called store-AAA and also acts as a DHCP server for the clients. I have a
few of Cisco 1242 AP as an authenticator.
Clients are going to be computers with WinCE as their OS and they will
contact to the LAN wirelessly. What I want to achieve is authenticating this
clients with server-AAA using PEAP before letting them use the other network
resources.

Thank you in advance  for your time and effort.

George Knight
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2008042
9/ab4e6bcc/attachment-0001.html>

------------------------------

Message: 5
Date: Tue, 29 Apr 2008 20:28:44 +0200
From: Michael Schwartzkopff <misch at multinet.de>
Subject: Re: HOWTO PEAP + FreeRadius + XP Client
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <481768DC.5080808 at multinet.de>
Content-Type: text/plain; charset=ISO-8859-1

George KNIGHT schrieb:
> Hello everyone,
> Before I write my question here, I just want to let all of you know that I
> did lots of searching in both google and this email list. But couldn't
find
> anything to get the answer.
> 
> My question is I have been looking for a HOWTO paper for a beginner to set
> freeradius as an AAA server in a wireless environment to Windows XP SP2
> clients. I will use Windows' own PEAP client. Is there such a paper
someone
> can give me the link?
>
> I'm very frustrated to find out that there is no information available for
a
> setup from the scratch. I wrote papers like that before for various topics
> such as subversion implementation for a multiple OS environment, VoIP
> implementation with a Linux based open sources S/W etc. I have intention
to
> write such a paper for how to set up PEAP implementation with freeradius
as
> well. But for that, I'm hoping someone can give me a good start.

For everyone who can create good google expressions:

http://www.wi-fiplanet.com/tutorials/article.php/3557251
http://www.linuxjournal.com/article/8095
http://www.rinta-aho.org/docs/wlan/wlan.html
http://ubuntuforums.org/showthread.php?t=478804
http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html
http://www.greatnorthcomputing.com/2008/03/using-freeradius-with-both-eap-pe
ap.html

and about 100.000 more.

order of apperance at google, not related to relevance.

Greetings,

Michael.


------------------------------

Message: 6
Date: Tue, 29 Apr 2008 20:49:41 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: SPAM-LOW:  Re: EAP/TLS connection problem..
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <48176DC5.8010101 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Johan Nyman wrote:
> I have not edited the debug "a lot"! 

  You posted a small portion of the debug output.  There is a lot more
available during an EAP-TLS session.

> What information, from what .log files do you want/need? 

  The output of radiusd -X?

> Perhaps you are referring to another debug file?
> 
> That information I posted is directly from the "Radiusd -X" console.

  Yes, I know that.  Please understand that posting a *tiny* portion of
it doesn't help.  Posting *all* of it helps.

  Alan DeKok.


------------------------------

Message: 7
Date: Tue, 29 Apr 2008 21:03:10 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: HOWTO PEAP + FreeRadius + XP Client
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <481770EE.8010803 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

George KNIGHT wrote:
> Before I write my question here, I just want to let all of you know that
> I did lots of searching in both google and this email list. But couldn't
> find anything to get the answer. 
>
> My question is I have been looking for a HOWTO paper for a beginner to
> set freeradius as an AAA server in a wireless environment to Windows XP
> SP2 clients. I will use Windows' own PEAP client. Is there such a paper
> someone can give me the link?

$ ./configure
$ make
$ make install
$ radiusd -X

- Un-check "verify server certificate" in Windows (ONLY for testing).

- Add a user to the database (username/password, example in the FAQ)

  That's it.

> I'm very frustrated to find out that there is no information available
> for a setup from the scratch.

  Part of the problem is that in 2.0, there is so little to do...

> I wrote papers like that before for
> various topics such as subversion implementation for a multiple OS
> environment, VoIP implementation with a Linux based open sources S/W
> etc. I have intention to write such a paper for how to set up PEAP
> implementation with freeradius as well. But for that, I'm hoping someone
> can give me a good start.

  The EAP-TLS "howtos" contain additional documentation:

http://freeradius.org/doc/

> Clients are going to be computers with WinCE as their OS and they will
> contact to the LAN wirelessly. What I want to achieve is authenticating
> this clients with server-AAA using PEAP before letting them use the
> other network resources.

  Install 2.0, start the server.

  See also raddb/certs/README.  You can create "real" certificates, and
import them into WinCE.

  There is very, very, little to change in order to get PEAP to work.

  Alan DeKok.


------------------------------

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 36, Issue 173
*************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080429/4376314c/attachment.html>


More information about the Freeradius-Users mailing list