EAP TLS testing using eapol_test
Naunidh S Chadha
naunidh at gmail.com
Thu May 22 21:01:21 CEST 2008
Hi Alan
Thanks for the reply.
The client certificates are made by using "make client.pem"
command. This is the should create the certificates signed
by the server certificate of Freeradius. Since the root CA is
same for both Freeradius and eapol_test, I am not sure what
is going wrong, do you think it could be the eapol config?
I will paste it here again.
network={
ssid="1x-test"
key_mgmt=WPA-EAP
eap=TLS
identity="user at example.com"
ca_cert="/usr/local/etc/raddb/certs/ca.pem" (even tried with
server.pem as CA)
client_cert="/usr/local/etc/raddb/certs/user at example.com.pem<http://lists.freeradius.org/mailman/listinfo/freeradius-users>
"
private_key="/usr/local/etc/raddb/certs/client.key"
private_key_passwd="whatever"
eapol_flags=3
}
Thanks
Naunidh
On Thu, May 22, 2008 at 10:56 PM, <
freeradius-users-request at lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: EAP TLS testing using eapol_test (Alan DeKok)
> 2. Re: Need to understand flow (Alan DeKok)
> 3. Re: radius x509 authentication + LDAP ? (Alan DeKok)
> 4. Re: Need to understand flow (Tuc at T-B-O-H.NET <http://t-b-o-h.net/>
> )
> 5. Re : Dynamic VLAN and FreeRadius (Joel MBA OYONE)
> 6. Re: Re : Dynamic VLAN and FreeRadius (Joe Vieira)
> 7. Re : Re : Dynamic VLAN and FreeRadius (Joel MBA OYONE)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 22 May 2008 17:06:03 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: EAP TLS testing using eapol_test
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <48358BDB.1040506 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Naunidh S Chadha wrote:
> ...
> > Wed May 21 19:31:19 2008 : *Error: --> verify error:num=20:unable to get
> > local issuer certificate*
> > Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert
> [length
> > 0002], fatal unknown_ca
>
> The certificate supplied by the client was not signed by a CA that
> FreeRADIUS recognises.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 22 May 2008 17:08:54 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Need to understand flow
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <48358C86.8030309 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Tuc at T-B-O-H.NET <http://t-b-o-h.net/> wrote:
> > I'm having to write my own validation and accounting for a device,
>
> Don't. Please. There are a number of RADIUS libraries available,
> including freeradius-client, on freeradius.org. It's supported, it
> works, and it's in use by a number of products.
>
> > and I need to understand a little about the flow. Is there a good
> reference
> > for this? I don't have to support much, basically user/pass
> authentication,
> > updating accounting, timeout, logoff.
>
> See the RFC's.
>
> > I believe I next need to send an accounting_start packet. Some
> > of the items I'm not sure where they come from (Acct-Session-Id,
> > Acct-Unique-Session-Id) or how they might be generated.
>
> This is not a mailing list for general RADIUS questions. The RFC's
> exist. Please read them.
>
> If you're doing this for a customer, you're getting paid. Don't
> expect anyone here to help you (for free) to create your product that
> has nothing to do with FreeRADIUS.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 22 May 2008 17:10:07 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: radius x509 authentication + LDAP ?
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <48358CCF.9000701 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Riccardo Veraldi wrote:
> > After authentication I would like to chack the common name or email
> > address propertires of te certificate againsta LDAP, to authorize the
> > user connection.
>
> It comes in the User-Name attribute.
>
> > is it possible to do this ?
> > I tyed but it seems not working in my configuration.
> > any hints ?
>
> Give us more information?
>
> Q: Hi, I tried to do stuff, but it didn't work. How do I fix it?
> A: Uh... your guess is as good as mine.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 22 May 2008 11:37:27 -0400 (EDT)
> From: "Tuc at T-B-O-H.NET <http://t-b-o-h.net/>" <ml at t-b-o-h.net>
> Subject: Re: Need to understand flow
> To: freeradius-users at lists.freeradius.org
> Message-ID:
> <200805221537.m4MFbRmn039038 at himinbjorg.tucs-beachin-obx-house.com>
> Content-Type: text/plain; charset=us-ascii
>
> > > I'm having to write my own validation and accounting for a device,
> >
> > Don't. Please. There are a number of RADIUS libraries available,
> > including freeradius-client, on freeradius.org. It's supported, it
> > works, and it's in use by a number of products.
> >
> I have no issue using a library. Right now I'm working with
> Net::Radius. But to use it I need to understand the flow since it only
> seems to be able to assemble and disassemble the packets, not tell me how
> to do it.
> >
> > > and I need to understand a little about the flow. Is there a good
> reference
> > > for this? I don't have to support much, basically user/pass
> authentication,
> > > updating accounting, timeout, logoff.
> >
> > See the RFC's.
> >
> Ok. I was hoping for something more than RFC's, but if thats the
> starting point, off I'll go.
> >
> > > I believe I next need to send an accounting_start packet. Some
> > > of the items I'm not sure where they come from (Acct-Session-Id,
> > > Acct-Unique-Session-Id) or how they might be generated.
> >
> > This is not a mailing list for general RADIUS questions. The RFC's
> > exist. Please read them.
> >
> Jawol.
> >
> > If you're doing this for a customer, you're getting paid. Don't
> > expect anyone here to help you (for free) to create your product that
> > has nothing to do with FreeRADIUS.
> >
> Actually, no, I'm not doing this for a customer. I'm doing it
> for an OpenSource/Sourceforge project, but I really appreciate your
> support in it all.
>
> Tuc
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 22 May 2008 15:49:50 +0000 (GMT)
> From: Joel MBA OYONE <mba_oyone at yahoo.fr>
> Subject: Re : Dynamic VLAN and FreeRadius
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <994857.8869.qm at web26108.mail.ukl.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Alan,
>
> I possess a device from D-Link (DWS-3024). it is a wireless switch
> controler, and the documentation says that:
> - One SSID has to be affect to one VLAN on the profile.
> - An Access point could be configured with up to 8 ifferent SSIDs and it
> is possible to affect each SSID on its own network (below is a link which
> show you the config page) or all SSID on the same network. maybe i didn't
> read it correctly, so here is the link (see page 89-90 and maybe 91 too.):
> ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf
>
> i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will
> receive the same profile, and the profile will have 3 differents SSIDS with
> diffrents security access levels and network from the wireless switch.
>
> for example, in the same room, associated to the same AP, students and
> teachers will connect to diffrent SSIDs coming from that same AP, and some
> will have to athenticate via EAP-PEAP, other will require EAP-TLS.
>
> this other short file explain point to point what is my config and waht i
> am trying to do:
> ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf
> read it and maybe you could understand me.
>
>
> regards
>
>
> Joel MBA OYONE wrote:
> >> No. VLAN assignment is after SSID association, and after 802.1x
> >> authentication.
> >
> > OK, is it possible to associate in SSID_1 and be assigned to a different
> > VLAN than the we are associated in ?
>
> That doesn't make sense. SSID's aren't tied to VLANs, unless you
> configure them that way.
>
> > (exemple, when i am associated to
> > SSID_1, which belongs to VLAN100,
>
> No... SSID's have nothing to do with VLAN's.
>
> > RADIUS sends me
> > "Tunnel-Private-Group-ID = 200", which belongs to another SSID, what
> > would happen and would authentication process success?)
>
> Read your NAS documentation to see how to do VLAN assignment, and how
> it interacts with SSID's.
>
> > - if i am assigned to another couple of SSID/VLAN than the one i am
> > connected now by RADIUS, would authentication process restart at the
> > beginning?
>
> Stop talking about "SSID/VLAN". They are separate things.
>
> When you do VLAN assignment with RADIUS, you do NOT need to
> re-authenticate.
>
> > - is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of
> > 802.1x when RADIUS is the authentication Server for a supplicant?
>
> What does that mean?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> __________________________________________________
> Do You Yahoo!?
> En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
> possible contre les messages non sollicit?s
> http://mail.yahoo.fr Yahoo! Mail
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20080522/82252264/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 6
> Date: Thu, 22 May 2008 12:12:49 -0400
> From: Joe Vieira <jvieira at clarku.edu>
> Subject: Re: Re : Dynamic VLAN and FreeRadius
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <48359B81.1060306 at clarku.edu>
> Content-Type: text/plain; charset="UTF-8"; format=flowed
>
> HI Joel,
>
> I think the issue here is that the D-Link AP's you have are rather
> limited.
>
> Radius can not ever assign an SSID because that step occurs before the
> user authenticated. Wireless starts with an association from the user
> to the AP's SSID from there the AP decides what needs to happen.
>
> Radius can affect VLAN's (generally at least in the Cisco world with
> 'Tunnel-Private-Group-ID', like you meantioned) but you'll never be able
> to force a user to switch SSID's because that is client controlled.
>
> AP's map VLAN's to SSID's internally some allow n to 1 and 1 to n
> relationships, others like your d-links only allow a direct mapping.
>
> Basically it sounds like you are limited by the constraints of you NAS.
>
> Joe Vieira
> UNIX Systems Administrator
> Clark University
>
> Joel MBA OYONE wrote:
> > Alan,
> >
> > I possess a device from D-Link (DWS-3024). it is a wireless switch
> > controler, and the documentation says that:
> > - One SSID has to be affect to one VLAN on the profile.
> > - An Access point could be configured with up to 8 ifferent SSIDs and
> > it is possible to affect each SSID on its own network (below is a link
> > which show you the config page) or all SSID on the same network.
> > maybe i didn't read it correctly, so here is the link (see page 89-90
> > and maybe 91 too.):
> >
> ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf
> >
> > i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will
> > receive the same profile, and the profile will have 3 differents SSIDS
> > with diffrents security access levels and network from the wireless
> > switch.
> >
> > for example, in the same room, associated to the same AP, students and
> > teachers will connect to diffrent SSIDs coming from that same AP, and
> > some will have to athenticate via EAP-PEAP, other will require EAP-TLS.
> >
> > this other short file explain point to point what is my config and
> > waht i am trying to do:
> > ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf
> > read it and maybe you could understand me.
> >
> >
> > regards
> >
> > Joel MBA OYONE wrote:
> > >> No. VLAN assignment is after SSID association, and after 802.1x
> > >> authentication.
> > >
> > > OK, is it possible to associate in SSID_1 and be assigned to a
> different
> > > VLAN than the we are associated in ?
> >
> > That doesn't make sense. SSID's aren't tied to VLANs, unless you
> > configure them that way.
> >
> > > (exemple, when i am associated to
> > > SSID_1, which belongs to VLAN100,
> >
> > No... SSID's have nothing to do with VLAN's.
> >
> > > RADIUS sends me
> > > "Tunnel-Private-Group-ID = 200", which belongs to another SSID, what
> > > would happen and would authentication process success?)
> >
> > Read your NAS documentation to see how to do VLAN assignment, and how
> > it interacts with SSID's.
> >
> > > - if i am assigned to another couple of SSID/VLAN than the one i am
> > > connected now by RADIUS, would authentication process restart at the
> > > beginning?
> >
> > Stop talking about "SSID/VLAN". They are separate things.
> >
> > When you do VLAN assignment with RADIUS, you do NOT need to
> > re-authenticate.
> >
> > > - is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of
> > > 802.1x when RADIUS is the authentication Server for a supplicant?
> >
> > What does that mean?
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > __________________________________________________
> > Do You Yahoo!?
> > En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
> > possible contre les messages non sollicit?s
> > http://mail.yahoo.fr Yahoo! Mail
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 22 May 2008 17:26:23 +0000 (GMT)
> From: Joel MBA OYONE <mba_oyone at yahoo.fr>
> Subject: Re : Re : Dynamic VLAN and FreeRadius
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <44687.98778.qm at web26107.mail.ukl.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Thank you Joe for your answer!
>
> We all agree that assocation is made before authentication process, in
> order to RADIUS to be able to do its stuffs. but the fact is that it doesn't
> work, and i was wondering what would be the result if i set:
> "Tunnel-Private-Group-ID = 100" (when the SSID were i am connected is
> assiged to VLAN 200, according to how my device work) .
>
>
> I started to ask silly questions because it's true i don't understand
> nothing anymore with my config!
> Basically, i have to use freeradius for authenticate wireless users, all
> connected on Access points managed by that switch!
> i learnt freeradius stuffs and with the help of the guys here, i am now
> able to setup it correctly!!! Access point authentication works well,
> but end-users authentication doing some EAP fails but stay without no
> response after the access-challenge!! (saying no correct login/password
> find, or requiring client certificate, depending if i am doing tls or
> peap).
> please note that it deons'nt tell me that my certificates are
> incorrect, it is the reason why i started to think that the AP's don't
> relay correctly the EAP negociation! (On XP client client are blocked
> on "identity validation" then give up the authentication). As i am
> newbie with 802.1x stuffs, i asked "silly" question to fix out my
> doubts. it is not easy for me to do it in english!
>
>
>
> - About the limitations of the device, i posted on d-link support a week
> ago and i am still waiting for the answer.
>
> - about RADIUS assigning SSID... it was a silly question of me and the goal
> was just to be sure that RADIUS authentication events stay on the same SSID.
> just for confirmation, and now I KNOW.
>
> - the reason of this confusion for me is what the documentation of dws-3024
> says on page 205 and 206 as follow (some parts):
>
> ##############################################################
> ##############################################################
> NOTE:
> You can configure D-Link Access Points to use 802.1X authentication on the
> RADIUS server
> to allow or deny specific users on client stations access to the wireless
> network. If you enable
> 802.1X authentication, the client entry on a RADIUS server can support
> user-based VLANs
> and subnet assignments for IP tunneling. Table 80 shows the attributes to
> set for wireless
> clients within the RADIUS server.
>
> Table 80. RADIUS Attributes for Wireless Clients
> RADIUS Server Description
> Range Usage
> Attribute
> User-Name (1)
> 1-32 characters Required
> User-Password (2)
> 1-128 characters Required
> Tunnel-Medium-Type (65)
> 802 Optional
> ##############################################################
>
> The following example shows the entry for a user in the users file. The
> username is
> ?johndoe,? the password is ?test1234.? The user is assigned to VLAN 77.
>
> johndoe Auth-Type: = EAP, User-Password == ?test1234"
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = 77
>
> Tunnel-Type and Tunnel-Medium-Type use the same values for all stations.
> Tunnel-Private-
> Group-ID is the selected VLAN ID and can be different for each user.
> NOTE: Do not use the management VLAN ID of the AP for the value of the
> Tunnel-
> Private-Group-ID.
> ##############################################################
> ##############################################################
>
>
> the documentation also says on page 201: (and i dont understand this step,
> even using a translator. explanation would be appreciated)
> ##############################################################
> NOTE:
> This appendix does not describe RADIUS configuration for AP network
> authentication using 802.1X. This feature is separate from a valid AP
> configuration entry. The edge device that connects to the AP performs the
> network authentication. The edge device might not be the D-Link Unified
> Switch.
> ##############################################################
>
>
> Any people interested in help could just read page 200 - 209 of this
> documents and give advices.
> here is the link:
> ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf
>
>
> thanks a lot!
> Joel
>
>
> --------------------------------------------------------------------------------------------------------------------
> HI Joel,
>
> I think the issue here is that the D-Link AP's you have are rather
> limited.
>
> Radius can not ever assign an SSID because that step occurs before the
> user authenticated. Wireless starts with an association from the user
> to the AP's SSID from there the AP decides what needs to happen.
>
> Radius can affect VLAN's (generally at least in the Cisco world with
> 'Tunnel-Private-Group-ID', like you meantioned) but you'll never be able
> to force a user to switch SSID's because that is client controlled.
>
> AP's map VLAN's to SSID's internally some allow n to 1 and 1 to n
> relationships, others like your d-links only allow a direct mapping.
>
> Basically it sounds like you are limited by the constraints of you NAS.
>
> Joe Vieira
> UNIX Systems Administrator
> Clark University
>
> Joel MBA OYONE wrote:
> > Alan,
> >
> > I possess a device from D-Link (DWS-3024). it is a wireless switch
> > controler, and the documentation says that:
> > - One SSID has to be affect to one VLAN on the profile.
> > - An Access point could be configured with up to 8 ifferent SSIDs and
> > it is possible to affect each SSID on its own network (below is a link
> > which show you the config page) or all SSID on the same network.
> > maybe i didn't read it correctly, so here is the link (see page 89-90
> > and maybe 91 too.):
> >
> ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf
> >
> > i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will
> > receive the same profile, and the profile will have 3 differents SSIDS
> > with diffrents security access levels and network from the wireless
> > switch.
> >
> > for example, in the same room, associated to the same AP, students and
> > teachers will connect to diffrent SSIDs coming from that same AP, and
> > some will have to athenticate via EAP-PEAP, other will require EAP-TLS.
> >
> > this other short file explain point to point what is my config and
> > waht i am trying to do:
> > ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf
> > read it and maybe you could understand me.
> >
> >
> > regards
> >
> > Joel MBA OYONE wrote:
> > >> No. VLAN assignment is after SSID association, and after 802.1x
> > >> authentication.
> > >
> > > OK, is it possible to associate in SSID_1 and be assigned to a
> different
> > > VLAN than the we are associated in ?
> >
> > That doesn't make sense. SSID's aren't tied to VLANs, unless you
> > configure them that way.
> >
> > > (exemple, when i am associated to
> > > SSID_1, which belongs to VLAN100,
> >
> > No... SSID's have nothing to do with VLAN's.
> >
> > > RADIUS sends me
> > > "Tunnel-Private-Group-ID = 200", which belongs to another SSID, what
> > > would happen and would authentication process success?)
> >
> > Read your NAS documentation to see how to do VLAN assignment, and how
> > it interacts with SSID's.
> >
> > > - if i am assigned to another couple of SSID/VLAN than the one i am
> > > connected now by RADIUS, would authentication process restart at the
> > > beginning?
> >
> > Stop talking about "SSID/VLAN". They are separate things.
> >
> > When you do VLAN assignment with RADIUS, you do NOT need to
> > re-authenticate.
> >
> > > - is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of
> > > 802.1x when RADIUS is the authentication Server for a supplicant?
> >
> > What does that mean?
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > __________________________________________________
> > Do You Yahoo!?
> > En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
> > possible contre les messages non sollicit?s
> > http://mail.yahoo.fr Yahoo! Mail
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> __________________________________________________
> Do You Yahoo!?
> En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
> possible contre les messages non sollicit?s
> http://mail.yahoo.fr Yahoo! Mail
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20080522/d0a46699/attachment.html
> >
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 37, Issue 113
> *************************************************
>
--
Naunidh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080523/6368a36c/attachment.html>
More information about the Freeradius-Users
mailing list