(RADIATOR) Anyone get EAP-PEAP on XP to work Radius?
Mike McCauley
mikem at open.com.au
Tue Mar 11 22:06:31 CST 2003
Thanks Bon,
BTW, I have also seen problems with some EAP clients and APs if the client is
configured for a DHCP address, rather than a hardwired. You might want to try
hardwiring the IP address to start with.
Bon, If you are not seeing Radius requests from your AP, I feel sure that your
problens are due to some configuration issue in your client or your AP. I
think you have set your AP according to some screen shots I sent so you
should look closely at the client config:
1. Set for hardwired IP address
2. Set the 'show icon when connected' opion.
3. Make sure the 'use 802.1x authentication' option is enabled for the
wireless connection
4. Try some other EAP types, particularly MD5-Challeneg.
5. With TLS, TTLS and PEAP, make sure you havev the root certificate
corresponding to the radius servers certificate installed on the client PC.
6. If using TLS, make sure that you have a client certificate and private key
installed on the client. (sometimes its best to have only one personal
certiticate intalled on the client).
Cheers.
On Wed, 12 Mar 2003 01:06 am, Bon sy wrote:
> I apologize for sending out another posting again. I forget to include the
> cfg file for radiator in case this may help for reproducing my
> problem.
>
> Also, Mike, please ignore my question. It looks like the
> eap_tls.cfg takes care of identifying which server certificate to use
> already, which I grossly overlook and forget.
>
> On Tue, 11 Mar 2003, Bon sy wrote:
> > Denis and all others,
> > Thank you for the comment. Please read on ....
> >
> > On Tue, 11 Mar 2003, Denis Pavani wrote:
> > > Did you install user certificates on XP?
> >
> > I did -- at least that's what I think. I made two different attempts.
> >
> > First attempt, I generate my own certificates below valid for one month
> > from March 9:
> >
> > For the server: bonnet17.der, bonnet17.p12, bonnet17.pem
> > For the client: bonsy.der, bonsy.p12, bonsy.pem, root_bonsy.der
> >
> > I install the client certificate (install certificate root_bonsy.der to
> > the root trusted certificate store and subsequently bonnet17.p12).
> >
> > I also put bonnet17.der, bonnet17.p12, bonnet17.pem in the subdir where
> > the path pointing to it is specified in eap_tls.cfg file where radiusd is
> > reading from for the initialization.
> >
> > QUESTION: This part I never understand. I think in FREERADIUS one has to
> > configure/make/make install for the radius to know which server
> > certificate to use. How exactly does it work in radiator for it to know
> > which certificate to use when there are multiple certificates sitting
> > there? Mike, any chance you can help me to understand this?
> >
> > Second attempt I use the certificates Hugh and Mike put in the patch of
> > radiator 3.5:
> >
> > For the server: cert-srv.pem
> > For the client: root.der, cert-clt.p12
> >
> > Same problem as the first attempt, I did not get radiator receiving
> > request from XP via the Cisco AP 350. The setup for the Cisco AP 350 is
> > in the attachment cisco__eap_setup.doc which has a number of screen
> > shots.
> >
> > Nevertheless, in one occasion, I saw (eap like) access request to
> > radiator but it stops at the access request state. It looks like the
> > challenge process did not go through properly. But when I reset and try
> > to reproduce the situation again, the radiator went silent again. On this
> > particular occasion, the certificates of BOTH attempts are in the client
> > as well as server.
> >
> > I wonder anyone out there could help to reproduce the setup of AP 350,
> > and try the certificates in the attachments and see whether my problem
> > could be reproduced. If one can get it to work using my certificates and
> > setup, at least I will be able to tell the problem is not on the
> > certificates.
> >
> > The reason I suspect there could be a certificate problem is because I
> > was reading the "HowTo: EAP-TLS setup ..." by Ken Roser. He mentioned
> > that the server certificate must contain an EKU (Enhanced Key Usage) of
> > 1.3.6.1.5.5.7.3.2 for it to be useable for Windows 20000 server. I do not
> > think this is the case for the certificates that I generated, nor is it
> > the case for the testing certificates that Hugh distributes. But this
> > should not be the point if the EKU requirement is only for the Windows
> > server, which is not my case (I am using Linux server).
> >
> > I will deeply appreciate if anyone out there has a similar setup and is
> > willing to help to test out the certificates and the AP setup.
> >
> > Bon
> >
> > > Bon sy wrote:
> > > >Hi Christian, John, and Mike,
> > > >
> > > > I have a similar problem as John on getting the 802.1X client of
> > > >XP to work with the radius via Cisco 350 AP -- except I am looking
> > > > into EAP-TLS.
> > > >
> > > > I have the same setup on the 802.1x client side. I follow the
> > > >document reference mentioned in eap_tls.cfg for the setup, but no
> > > > luck. I talked to Mike and he emailed me the screen shot of the Cisco
> > > > (340?) AP set up required to work with the EAP-TLS. I follow that and
> > > > use the certificate Hugh mentioned not too long along for the test.
> > > > Still no luck.
> > > >
> > > > When I initially config the AP and check both EAP and Mac
> > > >authentication in the "security tab" of the AP setup, I kept getting
> > > >radius response on MAC authentication, and EAP authentication does not
> > > >seem to happen. So, I thought it could be the certificate issue or the
> > > > AP just ignore the EAP authentication because MAC authentication is
> > > > also checked.
> > > >
> > > > Next what I do is to uncheck MAC authentication and leave only EAP
> > > >authentication, and use the test certificate Huge posted so that it
> > > >eliminates the possibility of the problem that is due to certificate
> > > >generation. With that, radius does not even get the rquest response. A
> > > >minor side note, I did make sure to use the right certificate in the
> > > > XP machine. So, if assuming the screen shot Mike sent me is complete,
> > > > the only possible conclusion left is the XP side. But as of now, I
> > > > could not find any document addressing similar problems. John's
> > > > posting is as close to my problem as I can find.
> > > >
> > > > Anyone out there has any insights? Thanks in advance!
> > > >
> > > >Bon
> > > >
> > > >On Fri, 7 Mar 2003, Christian Wiedmann wrote:
> > > >>Your settings sound fine. I have PEAP authentication working with
> > > >> the same setup on XP Home (SP1). I don't think that it matters
> > > >> whether the authenticate as computer or authenticate as guest boxes
> > > >> are checked (except that obviously it's going to fail to
> > > >> authenticate if you don't have them configured in Radiator).
> > > >>
> > > >>Are you sure you're getting a TLS tunnel? The TLS tunnel isn't
> > > >> established until the first identity exchange, which normally only
> > > >> happens after you enter information in the login window. If you
> > > >> actually are getting to the TLS stage, Windows must have credentials
> > > >> from somewhere - double check the MSCHAP-V2 settings to make sure it
> > > >> isn't using your Windows login information.
> > > >>
> > > >>What AP are you using? If it is a Linksys WRT51AB or similar, I've
> > > >> discovered that the AP requires a State attribute to be in the
> > > >> Radius replies. I've modified my version of Radiator to add one.
> > > >> I'm not sure if there is a cfg- file way of doing this -- I actually
> > > >> modified the perl code.
> > > >>
> > > >> -Christian
> > > >>
> > > >>On Fri, 7 Mar 2003, John McFadden wrote:
> > > >>>Date: Fri, 07 Mar 2003 14:16:44 -0500
> > > >>>From: John McFadden <dasjlm at uwo.ca>
> > > >>>To: radiator at open.com.au
> > > >>>Subject: (RADIATOR) Anyone get EAP-PEAP on XP to work Radius?
> > > >>>
> > > >>>I installed lastest Service Pack on XP to get the built in 802.1x
> > > >>> client but can't seem to get it to
> > > >>>authenticate via Radius. It appears that I get a TLS tunnel but
> > > >>> never get a logon popup on XP.
> > > >>>
> > > >>>I believe it is some kind of setup issue on XP not Radiator so I
> > > >>> just would like to
> > > >>>verify my XP setup before getting into Radiator.
> > > >>>
> > > >>>I started the Wireless Zero Config service.
> > > >>>
> > > >>>I clicked on the applicable connection and it's property button.
> > > >>>
> > > >>>In the authentication tab (confirms the Wireless Zero Config
> > > >>> installed and running.)
> > > >>>-I clicked on Enable IEEE802.1x
> > > >>>-I selected Protected EAP (PEAP)
> > > >>>-I left off Authenticate as computer
> > > >>>-I left off Authenticate as guest
> > > >>>
> > > >>>
> > > >>>In the peap properties tabe.
> > > >>>-I left off validate server certficate - I assume not required for
> > > >>>EAP-PEAP? Is this my problem?
> > > >>>-I selected EAP-MSCHAPV2 as authentication method.
> > > >>>
> > > >>>In the EAP-MSCHAPV2 properities I left off the use Windows userid,
> > > >>>password and domain.
> > > >>>
> > > >>>Can someone comment confirm this setup should work?
> > > >>>
> > > >>>
> > > >>>
> > > >>>Thanks in advance.
> > > >>>
> > > >>>John McFadden
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>===
> > > >>>Archive at http://www.open.com.au/archives/radiator/
> > > >>>Announcements on radiator-announce at open.com.au
> > > >>>To unsubscribe, email 'majordomo at open.com.au' with
> > > >>>'unsubscribe radiator' in the body of the message.
> > > >>
> > > >>===
> > > >>Archive at http://www.open.com.au/archives/radiator/
> > > >>Announcements on radiator-announce at open.com.au
> > > >>To unsubscribe, email 'majordomo at open.com.au' with
> > > >>'unsubscribe radiator' in the body of the message.
> > > >
> > > >===
> > > >Archive at http://www.open.com.au/archives/radiator/
> > > >Announcements on radiator-announce at open.com.au
> > > >To unsubscribe, email 'majordomo at open.com.au' with
> > > >'unsubscribe radiator' in the body of the message.
> > >
> > > --
> > > ***********************************************************************
> > >* Denis Pavani
> > >
> > > CINECA - Comunicazioni e Sistemi Distribuiti
> > > NOC - Network Operation Center
> > >
> > > phone:+39 0516171953 / fax:+39 0516132198
> > > http://www.cineca.it
> > > ***********************************************************************
> > >* "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo" --
> > > Gunny Highway
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list