AW: Noone anny idea fot --> TLS Athentifikation before Domain LogonXP?
Armin Krämer
Kraemer.Armin at web.de
Fri Jan 6 21:49:42 CET 2006
Here, this is the only output of freeradius-X-A when i copy the Certifikate
into the Machine Location in MMC-Computer Certificate and add the root certs
also. What kind of OID is now correct for Machine Certifikate? The normal
Client Authentifikation OID or an other?
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.252:3912, id=44,
length=156
User-Name = "host/Notebook-AK.ak-server.de"
NAS-IP-Address = 192.168.1.252
NAS-Identifier = "acess_point_siemens"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x022c002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465
Message-Authenticator = 0x53d26ddeab0dd0406e4710707257e707
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de",
looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 44 length 34
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 207
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 44 to 192.168.1.252:3912
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x012d00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc64cbbb104fb839fdb2c2cede14e4f2e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 44 with timestamp 43be09ac
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.1.252:3913, id=45,
length=156
User-Name = "host/Notebook-AK.ak-server.de"
NAS-IP-Address = 192.168.1.252
NAS-Identifier = "acess_point_siemens"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x022d002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465
Message-Authenticator = 0xfb2bddbd89303b852866ad099e315c52
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de",
looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 45 length 34
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 207
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 45 to 192.168.1.252:3913
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x012e00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x399b87c79d22ab0ddb4e05e1d9a82ba0
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 45 with timestamp 43be09ba
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.1.252:3914, id=49,
length=156
User-Name = "host/Notebook-AK.ak-server.de"
NAS-IP-Address = 192.168.1.252
NAS-Identifier = "acess_point_siemens"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0231002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465
Message-Authenticator = 0xcd4c57a9fe6aee99122c8d49a5e53b67
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de",
looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 49 length 34
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 207
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 49 to 192.168.1.252:3914
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x013200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc7e2274ffcdd02aa0f62849fcecac329
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 49 with timestamp 43be09c9
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.1.252:3915, id=50,
length=156
User-Name = "host/Notebook-AK.ak-server.de"
NAS-IP-Address = 192.168.1.252
NAS-Identifier = "acess_point_siemens"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0232002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465
Message-Authenticator = 0x3ab989079d5ca1b3abfb0d32144ee2ab
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de",
looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 50 length 34
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 207
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 50 to 192.168.1.252:3915
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x013300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x393c81cd6ea79ede5fbcfee1323f3941
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 50 with timestamp 43be09d8
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.1.252:3916, id=56,
length=156
User-Name = "host/Notebook-AK.ak-server.de"
NAS-IP-Address = 192.168.1.252
NAS-Identifier = "acess_point_siemens"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0238002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465
Message-Authenticator = 0xca20e829fc17c4ebab2fe61953c82bd3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de",
looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 56 length 34
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 207
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 56 to 192.168.1.252:3916
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x013900060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa9e40551d301f9f826603a1b7c44c9c0
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 56 with timestamp 43be09e8
Nothing to do. Sleeping until we see a request.
-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+kraemer.armin=web.de at lists.freeradius.org
[mailto:freeradius-users-bounces+kraemer.armin=web.de at lists.freeradius.org]
Im Auftrag von Alan DeKok
Gesendet: Freitag, 6. Januar 2006 21:03
An: FreeRadius users mailing list
Betreff: Re: Noone anny idea fot --> TLS Athentifikation before Domain
LogonXP?
"Timothy J. Miller" <tmiller at mitre.org> wrote:
> The correct OIDs are:
>
> RADIUS server certificate: 1.3.6.1.5.5.7.3.1 (TLS Server
> Authentication)
>
> Client certificate: 1.3.6.1.5.5.7.3.2 (TLS Client Authentication)
For *user* logins. The *machine* login uses the other OID's.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list