Freeradius, Cisco SSC, eDirectory, EAP/(T)TLS Problem
Sven 'Darkman' Michels
sven at darkman.de
Wed Mar 26 16:35:54 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Alan DeKok wrote:
> Sven 'Darkman' Michels wrote:
>>> here we can CLEARLY see that EAP is done before LDAP
>> exactly, yeah, but the log says the other way around. I get a ldap
>> request, which succeeds and after that a tls NACK (due to no cert).
>> I would expect its the other way around, shouldn't it?
>
> Post the debug log. It lists which modules are being executed, and in
> what order.
Will do so later. Busy day today, sorry :(
> EAP uses *many* round trips. So you may be looking at the output from
> two different packets, and concluding that the processing is in a
> *different* order than in the config files.
>
> Read the debug log. It's *all* there.
Ok, i'll doublecheck that. But just a note: if i use the wrong cert and
see a NACK message in the log - then my ttls failed and i shouldn't see
a ldap query at all...? Or do i missunderstand something here? I just
want to make sure that my client is "my" client, and not a stranger.
Thats why i want the eap stuff (to force all "signed" by the clients
cert, and avoid password attacks and stuff like that).
Thanks for your (quick) help so far.
Many regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH6m1aQoCguWUBzBwRAoPrAKCOmL1bNYMan8eZIfcCSansLFUlvwCfVbFA
YjUDvyfJn8rN7P1JwA0RjMw=
=IUrc
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list