open with mac authentication.

Tzvika Gelber daragaard at gmail.com
Sun Dec 9 21:58:19 CET 2012


Thank you very much.

>
> Tzvika Gelber wrote:
> > I created a new user with the MAC address of the client as the user and
> > password :
> ...
> > 00C0CA32A157 Cleartext-Password := "00C0CA32A157"
> ...
> >         User-Name = "00c0ca32a157"
> >         User-Password = "00c0ca32a157"
>
>   You do realize that they are different, right?
>
>   The comparisons in the users file are case-sensitive.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 9 Dec 2012 09:38:03 -0600
> From: Dan Letkeman <danletkeman at gmail.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: computer authentication
> Message-ID:
>         <CAPY==
> jnnw7fUHHpB1FvqPqMu8gQtuFERP_9WMWv__n7sVQec0w at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thank you Matthew for the clarification   I could successfully get the
> windows 7 client to try and make a request (you defiantly need to have the
> certs imported into exactly the correct spots).  But now my debug log says
> that its failing.  This is a default 2.1.12 install with the switch added
> to the clients.conf file.
>
>
> rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=204,
> length=180
>         User-Name = "host/user at example.com"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         Called-Station-Id = "9C-AF-CA-F4-40-10"
>         Calling-Station-Id = "64-31-50-7D-72-DE"
>         EAP-Message =
> 0x0201001a01686f73742f75736572406578616d706c652e636f6d
>         Message-Authenticator = 0x41f4a411366a244a23e887c859436d0b
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50016
>         NAS-Port-Id = "GigabitEthernet0/16"
>         NAS-IP-Address = 10.11.200.73
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "example.com" for User-Name = "host/
> user at example.com"
> [suffix] Found realm "example.com"
> [suffix] Adding Stripped-User-Name = "host/user"
> [suffix] Adding Realm = "example.com"
> [suffix] Proxying request from user host/user to realm example.com
> [suffix] Preparing to proxy authentication request to realm "example.com"
> ++[suffix] returns updated
> [eap] Request is supposed to be proxied to Realm example.com.  Not doing
> EAP.
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
>   WARNING: Empty pre-proxy section.  Using default return values.
> Sending Access-Request of id 231 to 127.0.0.1 port 1812
>         User-Name = "host/user"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         Called-Station-Id = "9C-AF-CA-F4-40-10"
>         Calling-Station-Id = "64-31-50-7D-72-DE"
>         EAP-Message =
> 0x0201001a01686f73742f75736572406578616d706c652e636f6d
>         Message-Authenticator = 0x00000000000000000000000000000000
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50016
>         NAS-Port-Id = "GigabitEthernet0/16"
>         NAS-IP-Address = 10.11.200.73
>         Proxy-State = 0x323034
> Proxying request 0 to home server 127.0.0.1 port 1812
> Sending Access-Request of id 231 to 127.0.0.1 port 1812
>         User-Name = "host/user"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         Called-Station-Id = "9C-AF-CA-F4-40-10"
>         Calling-Station-Id = "64-31-50-7D-72-DE"
>         EAP-Message =
> 0x0201001a01686f73742f75736572406578616d706c652e636f6d
>         Message-Authenticator = 0x00000000000000000000000000000000
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50016
>         NAS-Port-Id = "GigabitEthernet0/16"
>         NAS-IP-Address = 10.11.200.73
>         Proxy-State = 0x323034
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=231,
> length=171
>         User-Name = "host/user"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         Called-Station-Id = "9C-AF-CA-F4-40-10"
>         Calling-Station-Id = "64-31-50-7D-72-DE"
>         EAP-Message =
> 0x0201001a01686f73742f75736572406578616d706c652e636f6d
>         Message-Authenticator = 0x0d22b2b1d5102149a8c1c731bc6613dd
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50016
>         NAS-Port-Id = "GigabitEthernet0/16"
>         NAS-IP-Address = 10.11.200.73
>         Proxy-State = 0x323034
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "host/user", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 1 length 26
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Identity does not match User-Name, setting from EAP Identity.
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> host/user
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 1 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 1
> Sending Access-Reject of id 231 to 127.0.0.1 port 1814
>         Proxy-State = 0x323034
> Waking up in 4.9 seconds.
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=231,
> length=25
>         Proxy-State = 0x323034
> # Executing section post-proxy from file /etc/raddb/sites-enabled/default
> +- entering group post-proxy {...}
> [eap] No pre-existing handler found
> ++[eap] returns noop
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> host/
> user at example.com
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Sending Access-Reject of id 204 to 10.11.200.73 port 1645
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 231 with timestamp +14
> Cleaning up request 0 ID 204 with timestamp +14
> Ready to process requests.
>
>
>
> On Fri, Dec 7, 2012 at 2:23 PM, Matthew Newton <mcn4 at leicester.ac.uk>
> wrote:
>
> > On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote:
> > > Sorry, I was not clean with my setup information.  We do not have a
> > domain,
> > > these are stand alone windows 7 devices.  We also have some tablets and
> > > some linux boxes.  Concern right now is the Windows 7 devices.  I
> didn't
> > > know that you cannot do machine authentication without a domain....
> >
> > You can, but you'll need to handle the certificates on the hosts
> > manually. That's usually such a pain that the only real solution
> > is to use AD. If you've got a small number of devices, or can
> > write some other automated method of deploying certs, then it can
> > be possible to handle.
> >
> > What you /can't/ do is both User auth (mschap - username +
> > password) *and* Computer auth (certificates - EAP-TLS) in the same
> > connection, as the default Windows supplicant, like most, doesn't
> > support client certificates with PEAP (and user auth - mschap -
> > needs to be inside PEAP).
> >
> > > User authentication in my environment is just not an option because all
> > of
> > > the devices need to have a connection to the network at all times even
> if
> > > nobody is logged in.  Should I be using PEAP/EAP-TLS instead?
> >
> > There are no good reasons for doing PEAP/EAP-TLS unless you want
> > to use SoH. PEAP adds overhead to the auth, with no added benefit.
> >
> > > If so do you know of any good setup documentation for that?
> >
> > I wrote up how to do PEAP/EAP-TLS a while back - you can find it
> > here: http://q.asd.me.uk/pet
> >
> > That said - your connection is trying to do PEAP, so you've
> > configured your client for either 'certifiates' or mschap inside
> > PEAP. I forget the exact options in the interface, but you need to
> > choose 'certificates' rather than 'PEAP', then select the client
> > certificate that you want to auth with - which will be one that is
> > signed by the same CA that the CA_file option in your FreeRADIUS
> > eap.conf file points to. Make sure it's set to 'Computer' auth,
> > not 'User' or 'User + Computer'.
> >
> > In theory, you'll then find that it Just Works. But the Windows
> > config interface takes a bit of head scratching to get around
> > until you understand what it's doing under the hood.
> >
> > Cheers
> >
> > Matthew
> >
> >
> > --
> > Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
> >
> > Systems Architect (UNIX and Networks), Network Services,
> > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> >
> > For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121209/7f5912b8/attachment.html
> >
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 92, Issue 21
> ************************************************
>



-- 
____
Sometimes you just glow in the dark...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121209/0982239f/attachment.html>


More information about the Freeradius-Users mailing list