Freeradius-Users Digest, Vol 167, Issue 65

Aditya Vijjan aditya.vijjan at gmail.com
Mon Mar 25 10:35:40 CET 2019


Hi Alan,

I have added 123 entries in client.conf but only top 2 entries are working
remaining not.

Regards

Aditya Vijjan

On Mon, Mar 25, 2019 at 3:01 PM <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Clients.conf (Alan DeKok)
>    2. Logging config to get certificate details (Jim Potter)
>    3. Re: Logging config to get certificate details (Alan DeKok)
>    4. Re: Logging config to get certificate details (Jim Potter)
>    5. Re: Logging config to get certificate details (Alan DeKok)
>    6. Re: Logging config to get certificate details (Jim Potter)
>    7. Re: Logging config to get certificate details (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 25 Mar 2019 04:15:14 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Clients.conf
> Message-ID: <87DB7382-35DD-4649-AE92-D7AF30897DFE at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
> On Mar 25, 2019, at 3:25 AM, Aditya Vijjan <aditya.vijjan at gmail.com>
> wrote:
> >
> > I have different clients using diff IP and secret, i have allowed in
> > clients.conf but only top 2 entries are allowed and remaining not
> working,
>
>   That's now how the server works.
>
>   If you add clients to clients.conf, they are added, and they work.
>
>   Perhaps you could give a more detailed explanation.
>
>   Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 25 Mar 2019 08:53:31 +0000
> From: Jim Potter <j.potter at bathspa.ac.uk>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Logging config to get certificate details
> Message-ID:
>         <
> CAF_FbKP7hCijAeD4TXfiPUoTkvUGzao7pXLTztLRJyWf5U5m-A at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi all,
>
> We have a PEAP eduroam setup here, and I have a suspicion that not all our
> users are using/validating the server certificate - I know we can set the
> clients up to not use certificates and they can still connect fine. (I'm
> not completely clear on the PEAP process and whether the clients are still
> using the server cert but aren't validating it, or whether no cert is used
> at all in this case).
>
> So what I'd like to find out is if I can set the server logging up to find
> out about the certificates used by each client - whether a cert is being
> requested, and if so, whether the certificate is being validated by the
> clients. I know this is primarily a client issue, but I'm looking for signs
> of this from the server so I can see how widespread this is. I've tried
> auth_goodpass/auth_badpass (no luck), I'm not sure where next to look on
> this - does anyone have any advice?
>
> thanks (again) in advance
>
> Jim Potter
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 25 Mar 2019 04:55:35 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Logging config to get certificate details
> Message-ID: <85A9DD14-A179-4182-8912-39B94DA0FC05 at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
> On Mar 25, 2019, at 4:53 AM, Jim Potter <j.potter at bathspa.ac.uk> wrote:
> >
> > We have a PEAP eduroam setup here, and I have a suspicion that not all
> our
> > users are using/validating the server certificate - I know we can set the
> > clients up to not use certificates and they can still connect fine. (I'm
> > not completely clear on the PEAP process and whether the clients are
> still
> > using the server cert but aren't validating it, or whether no cert is
> used
> > at all in this case).
>
>   You can't tell what the client is doing.
>
>   The server sends the certs to the client, and the client either
> validates them, or ignores them.  It doesn't tell the server what it's
> doing.
>
> > So what I'd like to find out is if I can set the server logging up to
> find
> > out about the certificates used by each client - whether a cert is being
> > requested, and if so, whether the certificate is being validated by the
> > clients. I know this is primarily a client issue, but I'm looking for
> signs
> > of this from the server so I can see how widespread this is. I've tried
> > auth_goodpass/auth_badpass (no luck), I'm not sure where next to look on
> > this - does anyone have any advice?
>
>   This information is available only on the client.  The client doesn't
> tell anyone else what it's doing.
>
>   Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 25 Mar 2019 09:06:39 +0000
> From: Jim Potter <j.potter at bathspa.ac.uk>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Logging config to get certificate details
> Message-ID:
>         <CAF_FbKM2C2bb1LVdw+yuqHeEktXcnAUNA5rTHa9f+vJoaT35=
> w at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Alan,
>
> Thanks for the quick reply!
>
> So doesn't the client return a PEAP request containing the MSCHAPv2 request
> encrypted using the server certificate? My hope was that if a client device
> wasn't using a cert at all, I could see the format of the reply or
> something similar... but then if the clients are using whatever cert is
> sent out, but not validating it, that wouldn't show up.
>
> OK, so, plan B - if I set up a rogue access point (FreeRadius WPE or
> similar with a self signed certificate), I could see who connects
> regardless of the dubious cert, then chase them up. Would that work?
>
> thanks again,
>
> Jim
>
> On Mon, 25 Mar 2019 at 08:55, Alan DeKok <aland at deployingradius.com>
> wrote:
>
> > On Mar 25, 2019, at 4:53 AM, Jim Potter <j.potter at bathspa.ac.uk> wrote:
> > >
> > > We have a PEAP eduroam setup here, and I have a suspicion that not all
> > our
> > > users are using/validating the server certificate - I know we can set
> the
> > > clients up to not use certificates and they can still connect fine.
> (I'm
> > > not completely clear on the PEAP process and whether the clients are
> > still
> > > using the server cert but aren't validating it, or whether no cert is
> > used
> > > at all in this case).
> >
> >   You can't tell what the client is doing.
> >
> >   The server sends the certs to the client, and the client either
> > validates them, or ignores them.  It doesn't tell the server what it's
> > doing.
> >
> > > So what I'd like to find out is if I can set the server logging up to
> > find
> > > out about the certificates used by each client - whether a cert is
> being
> > > requested, and if so, whether the certificate is being validated by the
> > > clients. I know this is primarily a client issue, but I'm looking for
> > signs
> > > of this from the server so I can see how widespread this is. I've tried
> > > auth_goodpass/auth_badpass (no luck), I'm not sure where next to look
> on
> > > this - does anyone have any advice?
> >
> >   This information is available only on the client.  The client doesn't
> > tell anyone else what it's doing.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> thanks,
>
> Jim Potter
> User Platform Engineer
> IT Services
> Bath Spa University
>
> T: 01225 876220
> Visit www.bathspa.ac.uk
> Join us on: Facebook <http://www.facebook.com/bath.spa.university>|
> Twitter
> <https://twitter.com/#!/BathSpaUni>| YouTube
> <http://www.youtube.com/BathSpaUniversity>| LinkedIn
> <http://www.linkedin.com/company/bath-spa-university>
> Newton Park, Bath, BA2 9BN
>
> Think before you print
>
> Disclaimer
> If you have received this message in error, please notify us and remove it
> from your system. Any views or opinions expressed in personal emails are
> solely those of the author and do not necessarily represent those of Bath
> Spa University. Neither Bath Spa University nor the sender accepts any
> responsibility for viruses and it is your responsibility to scan this email
> and any attachments for viruses.
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 25 Mar 2019 05:15:12 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Logging config to get certificate details
> Message-ID: <B733798B-02B6-4901-9B5D-B4B704FB070F at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
> On Mar 25, 2019, at 5:06 AM, Jim Potter <j.potter at bathspa.ac.uk> wrote:
> > So doesn't the client return a PEAP request containing the MSCHAPv2
> request
> > encrypted using the server certificate?
>
>   No.
>
>   PEAP essentially sets up a TLS connection between the two endpoints.  It
> then sends MS-CHAPv2 data inside of the TLS tunnel.
>
>   The MS-CHAPv2 is protected via the TLS protocol.  It is *not* "encrypted
> using the server certificate".
>
> > My hope was that if a client device
> > wasn't using a cert at all,
>
>   The client device gets the server cert sent to it by the server, as part
> of the TLS exchange.  The client device is free to *ignore* this server
> certificate.
>
> > I could see the format of the reply or
> > something similar... but then if the clients are using whatever cert is
> > sent out, but not validating it, that wouldn't show up.
>
>   Yes.
>
> > OK, so, plan B - if I set up a rogue access point (FreeRadius WPE or
> > similar with a self signed certificate), I could see who connects
> > regardless of the dubious cert, then chase them up. Would that work?
>
>   People will connect if they configure it manually.  Which most won't.
>
>   There really isn't any point in doing this.  You won't get any useful
> information from it.
>
>   Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 25 Mar 2019 09:29:19 +0000
> From: Jim Potter <j.potter at bathspa.ac.uk>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Logging config to get certificate details
> Message-ID:
>         <CAF_FbKOAy-m61kMhFdm+wcdh4fy_1QqC=
> vx+MprzN6veYMh4iQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Alan,
>
> OK, thanks for the advice here. Historically, everyone has set up their
> devices manually, and I have a suspicion that some have been told to ignore
> the certificate, so if I do set up a rogue access point, this WILL catch
> anyone with this configured, correct?
>
> cheers,
>
> Jim
>
> On Mon, 25 Mar 2019 at 09:15, Alan DeKok <aland at deployingradius.com>
> wrote:
>
> > On Mar 25, 2019, at 5:06 AM, Jim Potter <j.potter at bathspa.ac.uk> wrote:
> > > So doesn't the client return a PEAP request containing the MSCHAPv2
> > request
> > > encrypted using the server certificate?
> >
> >   No.
> >
> >   PEAP essentially sets up a TLS connection between the two endpoints.
> It
> > then sends MS-CHAPv2 data inside of the TLS tunnel.
> >
> >   The MS-CHAPv2 is protected via the TLS protocol.  It is *not*
> "encrypted
> > using the server certificate".
> >
> > > My hope was that if a client device
> > > wasn't using a cert at all,
> >
> >   The client device gets the server cert sent to it by the server, as
> part
> > of the TLS exchange.  The client device is free to *ignore* this server
> > certificate.
> >
> > > I could see the format of the reply or
> > > something similar... but then if the clients are using whatever cert is
> > > sent out, but not validating it, that wouldn't show up.
> >
> >   Yes.
> >
> > > OK, so, plan B - if I set up a rogue access point (FreeRadius WPE or
> > > similar with a self signed certificate), I could see who connects
> > > regardless of the dubious cert, then chase them up. Would that work?
> >
> >   People will connect if they configure it manually.  Which most won't.
> >
> >   There really isn't any point in doing this.  You won't get any useful
> > information from it.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> thanks,
>
> Jim Potter
> User Platform Engineer
> IT Services
> Bath Spa University
>
> T: 01225 876220
> Visit www.bathspa.ac.uk
> Join us on: Facebook <http://www.facebook.com/bath.spa.university>|
> Twitter
> <https://twitter.com/#!/BathSpaUni>| YouTube
> <http://www.youtube.com/BathSpaUniversity>| LinkedIn
> <http://www.linkedin.com/company/bath-spa-university>
> Newton Park, Bath, BA2 9BN
>
> Think before you print
>
> Disclaimer
> If you have received this message in error, please notify us and remove it
> from your system. Any views or opinions expressed in personal emails are
> solely those of the author and do not necessarily represent those of Bath
> Spa University. Neither Bath Spa University nor the sender accepts any
> responsibility for viruses and it is your responsibility to scan this email
> and any attachments for viruses.
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 25 Mar 2019 05:31:46 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Logging config to get certificate details
> Message-ID: <E9025034-9BFF-4DD3-9F65-4AAA3BFAFEA4 at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
> On Mar 25, 2019, at 5:29 AM, Jim Potter <j.potter at bathspa.ac.uk> wrote:
> >
> > OK, thanks for the advice here. Historically, everyone has set up their
> > devices manually, and I have a suspicion that some have been told to
> ignore
> > the certificate, so if I do set up a rogue access point, this WILL catch
> > anyone with this configured, correct?
>
>   Maybe.
>
>   Alan DeKok.
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 167, Issue 65
> *************************************************
>


-- 
Thanks & Regards
Aditya Vijjan


More information about the Freeradius-Users mailing list