computer authentication
Dan Letkeman
danletkeman at gmail.com
Sun Dec 9 16:38:03 CET 2012
Thank you Matthew for the clarification I could successfully get the
windows 7 client to try and make a request (you defiantly need to have the
certs imported into exactly the correct spots). But now my debug log says
that its failing. This is a default 2.1.12 install with the switch added
to the clients.conf file.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=204,
length=180
User-Name = "host/user at example.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-F4-40-10"
Calling-Station-Id = "64-31-50-7D-72-DE"
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d
Message-Authenticator = 0x41f4a411366a244a23e887c859436d0b
NAS-Port-Type = Ethernet
NAS-Port = 50016
NAS-Port-Id = "GigabitEthernet0/16"
NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "example.com" for User-Name = "host/
user at example.com"
[suffix] Found realm "example.com"
[suffix] Adding Stripped-User-Name = "host/user"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user host/user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 231 to 127.0.0.1 port 1812
User-Name = "host/user"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-F4-40-10"
Calling-Station-Id = "64-31-50-7D-72-DE"
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port-Type = Ethernet
NAS-Port = 50016
NAS-Port-Id = "GigabitEthernet0/16"
NAS-IP-Address = 10.11.200.73
Proxy-State = 0x323034
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 231 to 127.0.0.1 port 1812
User-Name = "host/user"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-F4-40-10"
Calling-Station-Id = "64-31-50-7D-72-DE"
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port-Type = Ethernet
NAS-Port = 50016
NAS-Port-Id = "GigabitEthernet0/16"
NAS-IP-Address = 10.11.200.73
Proxy-State = 0x323034
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=231,
length=171
User-Name = "host/user"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-F4-40-10"
Calling-Station-Id = "64-31-50-7D-72-DE"
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d
Message-Authenticator = 0x0d22b2b1d5102149a8c1c731bc6613dd
NAS-Port-Type = Ethernet
NAS-Port = 50016
NAS-Port-Id = "GigabitEthernet0/16"
NAS-IP-Address = 10.11.200.73
Proxy-State = 0x323034
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 231 to 127.0.0.1 port 1814
Proxy-State = 0x323034
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=231,
length=25
Proxy-State = 0x323034
# Executing section post-proxy from file /etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/
user at example.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 204 to 10.11.200.73 port 1645
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 231 with timestamp +14
Cleaning up request 0 ID 204 with timestamp +14
Ready to process requests.
On Fri, Dec 7, 2012 at 2:23 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote:
> > Sorry, I was not clean with my setup information. We do not have a
> domain,
> > these are stand alone windows 7 devices. We also have some tablets and
> > some linux boxes. Concern right now is the Windows 7 devices. I didn't
> > know that you cannot do machine authentication without a domain....
>
> You can, but you'll need to handle the certificates on the hosts
> manually. That's usually such a pain that the only real solution
> is to use AD. If you've got a small number of devices, or can
> write some other automated method of deploying certs, then it can
> be possible to handle.
>
> What you /can't/ do is both User auth (mschap - username +
> password) *and* Computer auth (certificates - EAP-TLS) in the same
> connection, as the default Windows supplicant, like most, doesn't
> support client certificates with PEAP (and user auth - mschap -
> needs to be inside PEAP).
>
> > User authentication in my environment is just not an option because all
> of
> > the devices need to have a connection to the network at all times even if
> > nobody is logged in. Should I be using PEAP/EAP-TLS instead?
>
> There are no good reasons for doing PEAP/EAP-TLS unless you want
> to use SoH. PEAP adds overhead to the auth, with no added benefit.
>
> > If so do you know of any good setup documentation for that?
>
> I wrote up how to do PEAP/EAP-TLS a while back - you can find it
> here: http://q.asd.me.uk/pet
>
> That said - your connection is trying to do PEAP, so you've
> configured your client for either 'certifiates' or mschap inside
> PEAP. I forget the exact options in the interface, but you need to
> choose 'certificates' rather than 'PEAP', then select the client
> certificate that you want to auth with - which will be one that is
> signed by the same CA that the CA_file option in your FreeRADIUS
> eap.conf file points to. Make sure it's set to 'Computer' auth,
> not 'User' or 'User + Computer'.
>
> In theory, you'll then find that it Just Works. But the Windows
> config interface takes a bit of head scratching to get around
> until you understand what it's doing under the hood.
>
> Cheers
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Architect (UNIX and Networks), Network Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121209/7f5912b8/attachment-0001.html>
More information about the Freeradius-Users
mailing list