Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
16
Installation and Upgrades / Re: Radius server Error: TLS_accept failed in SSLv3 read client certificate A
« on: July 12, 2010, 10:48:09 pm »
Drummel,
Is it a fix for "station" authentication? Please, elaborate what does it do?
Is it a fix for "station" authentication? Please, elaborate what does it do?
17
Installation and Upgrades / Re: Radius server Error: TLS_accept failed in SSLv3 read client certificate A
« on: June 14, 2010, 05:13:44 pm »
Yes, it works on ebox-samba, even though if I restart samba, I am sure my changes will be gone.
Still it is configured only 50% to what it supposed to do.
Windows logon process in secured wireless access networks works as follows:
1. User enters credentials using GUI
2. If network connection available? If no, Perform PEAP/MSCHAPv2 authentication using station credentials. If yes, authenticate user against domain controller.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session.
As I told I made PEAP/MSCHAPv2 authentication using user credentials work:
I followed NOVEL guide how to strip "/host" and add "$", but so far my understanding of regex statements and unlang language is not adequate to accomplish it. As a result I cannot configured freeradius to authenticate work station.
http://www.novell.com/coolsolutions/feature/17044.html#7
Fortunately, the Microsoft authentication process allows local credentials to be cached, allowing the desktop to be initialized without actually having to issue any network traffic.
Which means in my case authentication still works, but it is much less secure that enterprise environment requires:
1. User enters credentials using GUI
2. If network connection available? If no, it means no domain controller is available, but user is able to logon using cached credentials.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session (Now it works as wireless connection is successfully established).
If you good as regex statements, and could fix "station" authentication, this ebox peap/mschapv2 could be rock solid even for enterprise environments.
Still it is configured only 50% to what it supposed to do.
Windows logon process in secured wireless access networks works as follows:
1. User enters credentials using GUI
2. If network connection available? If no, Perform PEAP/MSCHAPv2 authentication using station credentials. If yes, authenticate user against domain controller.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session.
As I told I made PEAP/MSCHAPv2 authentication using user credentials work:
Code: [Select]
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for olga with NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=john
expand: %{mschap:NT-Domain} -> MYDOMAIN
expand: --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} -> --domain=MYDOMAIN
[mschap] mschap2: 5f
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=xxxxxxxxxxxx
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=xxxxxxxxxxxxxxxxxx
Exec-Program output: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program-Wait: plaintext: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP SuccessThe FreeRADIUS configuration file must contain attribute rewrite rules in order to modify the incoming username into a format which matches the names in samba/ldap. Windows sends the machine name in the form host/MACHINE-NAME.DOMAIN-NAME.I followed NOVEL guide how to strip "/host" and add "$", but so far my understanding of regex statements and unlang language is not adequate to accomplish it. As a result I cannot configured freeradius to authenticate work station.
http://www.novell.com/coolsolutions/feature/17044.html#7
Fortunately, the Microsoft authentication process allows local credentials to be cached, allowing the desktop to be initialized without actually having to issue any network traffic.
Which means in my case authentication still works, but it is much less secure that enterprise environment requires:
1. User enters credentials using GUI
2. If network connection available? If no, it means no domain controller is available, but user is able to logon using cached credentials.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session (Now it works as wireless connection is successfully established).
If you good as regex statements, and could fix "station" authentication, this ebox peap/mschapv2 could be rock solid even for enterprise environments.
18
Installation and Upgrades / Re: Radius server Error: TLS_accept failed in SSLv3 read client certificate A
« on: June 10, 2010, 05:31:18 pm »
Ok. Here we go.
1. Install winbind
2. Edit the file
passwd:
group:
protocols:
services:
netgroup:
automount:
3. Give user freerad rights to write to winbindd_privileged folder. Even though it looks like you are running freeradius under root credentials. Please, confirm.
4. Modified smb.conf for Winbind Setup
5. Restart winbind, samba, and as root join the domain:
6. Tests to confirm it's working:
If something is not giving the expected result, debug, do not continue.
If it works, we successfully configured winbind + samba + ntlm_auth.
7. Configuring FreeRADIUS to use ntlm_auth:
Modify file
Following lines should be uncommented:
mschap {
....
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Now setup windows client and test as radtest
Side notes:
1. You can start freeradius in debug mode from command line:
2. I created all certificates by hand. So far I made a use of only CA root authority ca.der:
my windows clients always validate server certificate.
3. I verified that MS built-in supplicant works using EAP-MSCHAP v2. Did not have time or desire to make "Smard Card or other certificate" work using client.p12 personal certificate.
So not sure if it works or not.
4. You could create certificates using ebox certificate module, but then you have to fix all relative paths to them in radius config files (i.e. radiusd.conf, eap.conf, etc)
Cheers
1. Install winbind
2. Edit the file
Code: [Select]
/etc/nsswitch.conf and add winbind at the end of the following lines:passwd:
group:
protocols:
services:
netgroup:
automount:
3. Give user freerad rights to write to winbindd_privileged folder. Even though it looks like you are running freeradius under root credentials. Please, confirm.
Code: [Select]
sudo adduser freerad winbindd_priv
sudo chmod 750 /var/run/samba/winbindd_privileged4. Modified smb.conf for Winbind Setup
Code: [Select]
[global]
# separate domain and username with '\', like DOMAIN\username
winbind separator = \
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes5. Restart winbind, samba, and as root join the domain:
Code: [Select]
net join -U Administrator Very important = cost me almost 2 days of testing(!!!)6. Tests to confirm it's working:
Code: [Select]
wbinfo -uCorrectly gives list of PDC usersCode: [Select]
wbinfo -gCorrectly gets group information from the PDCCode: [Select]
getent passwdGets unified lists of both local and PDC users and groups. Code: [Select]
wbinfo -a user%password <- substitute with real user credentialsCode: [Select]
plaintext password authentication succeeded
challenge/response password authentication succeededCode: [Select]
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password <- substitute with real user credentialsCode: [Select]
NT_STATUS_OK: Success (0x0)If something is not giving the expected result, debug, do not continue.
If it works, we successfully configured winbind + samba + ntlm_auth.
7. Configuring FreeRADIUS to use ntlm_auth:
Modify file
Code: [Select]
/etc/freeradius/modules/mschapFollowing lines should be uncommented:
mschap {
....
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Now setup windows client and test as radtest
Side notes:
1. You can start freeradius in debug mode from command line:
Code: [Select]
sudo /usr/sbin/freeradius -X during testing -> see all errors /comments2. I created all certificates by hand. So far I made a use of only CA root authority ca.der:
my windows clients always validate server certificate.
3. I verified that MS built-in supplicant works using EAP-MSCHAP v2. Did not have time or desire to make "Smard Card or other certificate" work using client.p12 personal certificate.
So not sure if it works or not.
4. You could create certificates using ebox certificate module, but then you have to fix all relative paths to them in radius config files (i.e. radiusd.conf, eap.conf, etc)
Cheers
19
Installation and Upgrades / Re: Radius server Error: TLS_accept failed in SSLv3 read client certificate A
« on: June 08, 2010, 03:35:20 am »
ca.der -> Der format of ca.pem.
To import Root CA certificate, copy ca.der to the Windows client desktop and double click it.
This will allow the Validate Server Certificate option to be checked in the 802.1X supplicant ( both SecureW2/PAP or MS built-in MS-CHAPv2).
.p12 is X.509 private private keys and certificates in a single encrypted file using PKCS#12.
To install the client certificates, the client's client.p12 file to the Windows host and double-click it.
I checked /etc/freeradius/ldap.attrmap and it's already has lines
As sambaLmPassword = eboxLmPassword and sambaNTPassword =eboxNtPassword,
I don't think inserting eboxLmPassword & eboxNtPassword will help.
I will install winbind, and let you know if i made it work.
Code: [Select]
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.derTo import Root CA certificate, copy ca.der to the Windows client desktop and double click it.
This will allow the Validate Server Certificate option to be checked in the 802.1X supplicant ( both SecureW2/PAP or MS built-in MS-CHAPv2).
.p12 is X.509 private private keys and certificates in a single encrypted file using PKCS#12.
Code: [Select]
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)To install the client certificates, the client's client.p12 file to the Windows host and double-click it.
I checked /etc/freeradius/ldap.attrmap and it's already has lines
Code: [Select]
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPasswordAs sambaLmPassword = eboxLmPassword and sambaNTPassword =eboxNtPassword,
I don't think inserting eboxLmPassword & eboxNtPassword will help.
I will install winbind, and let you know if i made it work.
20
Installation and Upgrades / Re: Radius server Error: TLS_accept failed in SSLv3 read client certificate A
« on: June 07, 2010, 08:32:18 pm »
Thanks.
I get kind of working using suggested SecureW2 with EAP TTLS PAP.
I had to create all certificates manually using freeradius README.
Also modified /etc/freeradius/eap.conf to put corresponding private_key_password.
It would be nice if radius module would me similarly integrated as openvpn module, so one can use gui to create all certificates and write modifications to eap.conf. Also there are two files required by windows clients which are not produced by current implementation of ebox certificate module: client.p12 and ca.der
Also I had to instruct SecureW2 not to send the domain name, only username + password.
If domain name is sent, it fails as it does not know how to strip @domain from the user name.
From what I read, DAP doesn't do MS-CHAPv2. You can't "do MS-CHAPv2 against
an LDAP server". But you CAN have FreeRADIUS read the clear-text password
from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication.
I did not get a working configuration for built-in Microsoft EAP PEAP mSCHAP v2 though.
I manage to strip down domain name DOMAIN\ using filter in ldap module:
Still getting error messages:
[mschap] FAILED: MS-CHAP2-Response is incorrect
Question: The only way to get EAP-MSCHAPv2 working is to use ntlm_auth. ntlm_auth is part of winbind package which is not implemented in ebox. Why?
I get kind of working using suggested SecureW2 with EAP TTLS PAP.
I had to create all certificates manually using freeradius README.
Also modified /etc/freeradius/eap.conf to put corresponding private_key_password.
It would be nice if radius module would me similarly integrated as openvpn module, so one can use gui to create all certificates and write modifications to eap.conf. Also there are two files required by windows clients which are not produced by current implementation of ebox certificate module: client.p12 and ca.der
Also I had to instruct SecureW2 not to send the domain name, only username + password.
If domain name is sent, it fails as it does not know how to strip @domain from the user name.
From what I read, DAP doesn't do MS-CHAPv2. You can't "do MS-CHAPv2 against
an LDAP server". But you CAN have FreeRADIUS read the clear-text password
from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication.
I did not get a working configuration for built-in Microsoft EAP PEAP mSCHAP v2 though.
I manage to strip down domain name DOMAIN\ using filter in ldap module:
Code: [Select]
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"you have:Code: [Select]
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" Still getting error messages:
[mschap] FAILED: MS-CHAP2-Response is incorrect
Question: The only way to get EAP-MSCHAPv2 working is to use ntlm_auth. ntlm_auth is part of winbind package which is not implemented in ebox. Why?
21
Installation and Upgrades / Re: Radius server Error: TLS_accept failed in SSLv3 read client certificate A
« on: June 04, 2010, 08:52:40 pm »
Thanks.
I am going to try it.
Oh, wait...
Development on SecureW2’s Personal Client 2.X version was ceased in mid-2009.
Xsupplicant supports only Windows XP, and Linux, and compatible with Vista & Win7.
Do you happen to know any Win7 clients with TTLS PAP support?
On another subject.
The freeradius server can authenticate users via PAP, CHAP, MS-CHAP, MS-CHAPv2, SIP Digest, and all common EAP methods.
The ability to use a particular authentication protocol (PAP, CHAP, types of EAP) is completely under the control of the administrator.
Could I re-configure ebox (manually trough config files) to support MS-CHAPv2?
I am going to try it.
Oh, wait...
Development on SecureW2’s Personal Client 2.X version was ceased in mid-2009.
Xsupplicant supports only Windows XP, and Linux, and compatible with Vista & Win7.
Do you happen to know any Win7 clients with TTLS PAP support?
On another subject.
The freeradius server can authenticate users via PAP, CHAP, MS-CHAP, MS-CHAPv2, SIP Digest, and all common EAP methods.
The ability to use a particular authentication protocol (PAP, CHAP, types of EAP) is completely under the control of the administrator.
Could I re-configure ebox (manually trough config files) to support MS-CHAPv2?
22
Installation and Upgrades / How delete orphan printers?
« on: June 02, 2010, 06:26:45 pm »
Ebox-> Users and Groups -> Users ->[User Name] -> Printers
shows names of old computers that are no longer there.
Is there any way to delete those entries manually?
shows names of old computers that are no longer there.
Is there any way to delete those entries manually?
23
Installation and Upgrades / Re: Radius server Error: TLS_accept failed in SSLv3 read client certificate A
« on: May 28, 2010, 05:04:58 am »
Radius server seems to be configured preperly.
I tested it with radtest and got
I tested it with radtest and got
Code: [Select]
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=45, length=20
24
Installation and Upgrades / Radius server Error: TLS_accept failed in SSLv3 read client certificate A
« on: May 27, 2010, 06:42:32 pm »
Trying to setup RADIUS. Followed eBox 1.4 for Network Administrators manual.
Configured:
- radius server module with ebox
- ap /wireless router with WPA2/radius
- windows client.
When windows client is trying to connect radius server logs:
Do I have to install any of the certificates that could be found in /etc/freeradius/certs in windows client?
Do I have generate /re-generate any certificates or they are generated by enabling ebox radius module?
Do I have to change any configs in /etc/freeradius/ directory?
Any specific steps when setting up windows client?
Configured:
- radius server module with ebox
- ap /wireless router with WPA2/radius
- windows client.
When windows client is trying to connect radius server logs:
Code: [Select]
Cat /var/log/freeradius/radius.log
Thu May 27 12:07:06 2010 : Error: TLS_accept:failed in SSLv3 read client certificate A
Thu May 27 12:07:06 2010 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Thu May 27 12:07:06 2010 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.Do I have to install any of the certificates that could be found in /etc/freeradius/certs in windows client?
Do I have generate /re-generate any certificates or they are generated by enabling ebox radius module?
Do I have to change any configs in /etc/freeradius/ directory?
Any specific steps when setting up windows client?
25
Installation and Upgrades / Re: pdc + radius for wireless clients, is it possible?
« on: May 10, 2010, 04:54:57 pm »
Nobody is using radius server module?
or
Nobody built a mixed wireless network with both wired and wireless connections, where some devices are directly connected via Ethernet (cat5) cables, while other devices, including laptops, pocket PCs, mobile phones connect wirelessly?
Any other ideas how to bridge wired and wireless networks? As I mentioned above, right now I am using OpenVPN, but not fully satisfied with the setup.
or
Nobody built a mixed wireless network with both wired and wireless connections, where some devices are directly connected via Ethernet (cat5) cables, while other devices, including laptops, pocket PCs, mobile phones connect wirelessly?
Any other ideas how to bridge wired and wireless networks? As I mentioned above, right now I am using OpenVPN, but not fully satisfied with the setup.
26
Installation and Upgrades / pdc + radius for wireless clients, is it possible?
« on: May 07, 2010, 08:44:23 pm »
Current setup:
----------------
ebox (firewall, pdc, openvpn) |---> wired switch|---> comp #1, #2, #3
| |---> printer #1
|---> wireless router (bridged) --> laptop #1, #2
ebox serves 192.168.1.0/24 addresses computers #1, #2, #3
ebox serves 192.168.2.0/24 addresses laptops #1, #2 and 10.0.1.0/24 trough OpnVPN
users of laptop #1, #2 could use printer #1 on {GREEN} as fully authenticated by ebox (PDC+ OpenVPN)
Intended setup:
----------------
ebox (firewall, pdc, radius) |---> wired switch|---> comp #1, #2, #3
|- --> printer #1
|---> wireless router (bridged) --> laptop #1, #2
ebox serves 192.168.1.0/24 addresses computers #1, #2, #3 and to laptops #1, #2 through PDC + radius
The idea is to have users of laptops #1,#2 securely logged in to the wired network using ldap/radius components of the ebox and wireless switch. Is it even possible? Anyone care to share his setup/configuration? Can I keep wireless router in a bridged mode (basically using a switch) and have ebox serving all ips? Or I have to use it as a wireless router/hot spot as radius server configuration requires an ip to be entered.
Any suggestions are welcomed.
----------------
ebox (firewall, pdc, openvpn) |---> wired switch|---> comp #1, #2, #3
| |---> printer #1
|---> wireless router (bridged) --> laptop #1, #2
ebox serves 192.168.1.0/24 addresses computers #1, #2, #3
ebox serves 192.168.2.0/24 addresses laptops #1, #2 and 10.0.1.0/24 trough OpnVPN
users of laptop #1, #2 could use printer #1 on {GREEN} as fully authenticated by ebox (PDC+ OpenVPN)
Intended setup:
----------------
ebox (firewall, pdc, radius) |---> wired switch|---> comp #1, #2, #3
|- --> printer #1
|---> wireless router (bridged) --> laptop #1, #2
ebox serves 192.168.1.0/24 addresses computers #1, #2, #3 and to laptops #1, #2 through PDC + radius
The idea is to have users of laptops #1,#2 securely logged in to the wired network using ldap/radius components of the ebox and wireless switch. Is it even possible? Anyone care to share his setup/configuration? Can I keep wireless router in a bridged mode (basically using a switch) and have ebox serving all ips? Or I have to use it as a wireless router/hot spot as radius server configuration requires an ip to be entered.
Any suggestions are welcomed.
27
Installation and Upgrades / Re: samba login too long
« on: April 01, 2010, 05:38:18 pm »
Problem identified:
Machine joint the domain automatically and the entry was created by samba with the
add machine script = /usr/sbin/smbldap-useradd -w "%u"
Looked for names in /etc/passwd and /etc/group = nada
So my guess ebox implementation of samba/ldap is to store names in the ldap db only.
Browsing the db with
Now we are getting somewhere.
Errors are being recorded for number of times for the machine account. Initially it succeeds then in a later call fails NOT because the machine account isn't in ldap db, but because it being looked up in UPPER case.
Questions ebox team:
1) Is anyway to manually edit ldap db to write all computer name in upper case?
2) Is there a way to make smbldap-useradd script to write names in upper case into ldap db when machine joints the domain for the first time?
3) Could be LDIF or/and Command Line Tools be used to convert computer name in upper case?
Code: [Select]
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(520)
_netr_ServerAuthenticate2: netlogon_creds_server_check failed.
Rejecting auth request from client WHATEVER machine account WHATEVER$ Machine joint the domain automatically and the entry was created by samba with the
add machine script = /usr/sbin/smbldap-useradd -w "%u"
Looked for names in /etc/passwd and /etc/group = nada
So my guess ebox implementation of samba/ldap is to store names in the ldap db only.
Browsing the db with
Code: [Select]
sudo pdbedit -Lvreturns:Code: [Select]
Unix username: whatever$
NT username: whatever$
Account Flags: [W ]
....Now we are getting somewhere.
Errors are being recorded for number of times for the machine account. Initially it succeeds then in a later call fails NOT because the machine account isn't in ldap db, but because it being looked up in UPPER case.
Questions ebox team:
1) Is anyway to manually edit ldap db to write all computer name in upper case?
2) Is there a way to make smbldap-useradd script to write names in upper case into ldap db when machine joints the domain for the first time?
3) Could be LDIF or/and Command Line Tools be used to convert computer name in upper case?
28
Installation and Upgrades / Re: slapd: connection_read(XX): no connection!
« on: March 13, 2010, 03:06:25 am »
still hunting?
29
Installation and Upgrades / Firewall drops forwarded ports when request comes from internal interface
« on: February 28, 2010, 06:21:33 pm »
eth0 - external NIC (216.115.X.X)
eth1 - internal NIC (192.168.1.1)
Forwarded port 12345 to computer 192.168.1.5
Forwarding works, but Firewall drops forwarded ports when request comes from internal interface:
eth1 - internal NIC (192.168.1.1)
Forwarded port 12345 to computer 192.168.1.5
Code: [Select]
Interface Orig. dest. Orig. dest. port Protocol Source Dest. IP Port
eth0 eBox 12345 TCP/UDP Any 192.168.1.5 Same Created a rule allowing all traffic from internal interfaces to eboxCode: [Select]
Decision Source Destination Service
ACCEPT Any Any any Forwarding works, but Firewall drops forwarded ports when request comes from internal interface:
Code: [Select]
In. int. Out. int. Source Dest. Protocol Source port Dest. port Decision
eth1 192.168.1.5 216.115.X.X TCP 53216 12345 DROP
30
Installation and Upgrades / Re: Asterisk - configuration question
« on: February 11, 2010, 11:54:09 pm »
jsalamero wrote:
Please, explain your statement regarding incoming calls. SIP provider re-directs the call to the WAN IP registered (ebox ip). Now what? Which extension rings by default and how to configure this?
Quote
Recipient of incoming calls is intended to be the local user or queue who will receive the SIP call made to your SIP user 1777XXXXXXX@callcentric.com (or any number redirected to this user by your provider).
Please, explain your statement regarding incoming calls. SIP provider re-directs the call to the WAN IP registered (ebox ip). Now what? Which extension rings by default and how to configure this?