Authentication Failed

Devinder Singh devinbhullar at gmail.com
Wed Jan 20 08:55:19 CET 2010


######################################################################
#
#  Create a new client certificate, signed by the the above server
#  certificate.
#
######################################################################
client.csr client.key: client.cnf
        openssl req -new  -out client.csr -keyout client.key -config
./client.cnf

client.crt: client.csr ca.pem ca.key index.txt serial
        openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key
$(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf

client.p12: client.crt
        openssl pkcs12 -export -in client.crt -inkey client.key -out
client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

client.pem: client.p12
        openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
        cp client.pem $(USER_NAME).pem

.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
        c_rehash .
        openssl verify -CApath . client.pem


2010/1/20 Devinder Singh <devinbhullar at gmail.com>

> Hi Ivan,
>
> I cant seem to authenticate my Windows XP client using EAP authentication.
> I have folllowed the steps in /etc/raddb/certs
>
> This is my radius start up
> Module: Instantiating
> eap-tls
>    tls
> {
>
>         rsa_key_exchange =
> no
>         dh_key_exchange =
> yes
>         rsa_key_length =
> 512
>         dh_key_length =
> 512
>         verify_depth =
> 0
>         pem_file_type =
> yes
>         private_key_file =
> "/etc/raddb/certs/server.pem"
>         certificate_file =
> "/etc/raddb/certs/server.pem"
>         CA_file =
> "/etc/raddb/certs/ca.pem"
>         private_key_password =
> "myettelap"
>         dh_file =
> "/etc/raddb/certs/dh"
>         random_file =
> "/etc/raddb/certs/random"
>         fragment_size =
> 1024
>         include_length =
> yes
>         check_crl =
> no
>         cipher_list =
> "DEFAULT"
>         make_cert_command =
> "/etc/raddb/certs/bootstrap"
>     cache
> {
>
>         enable =
> no
>         lifetime =
> 24
>         max_entries =
> 255
>
> }
>
>
> }
>
>  Module: Linked to sub-module
> rlm_eap_ttls
>  Module: Instantiating
> eap-ttls
>    ttls
> {
>
>         default_eap_type =
> "md5"
>         copy_request_to_tunnel =
> no
>         use_tunneled_reply =
> no
>         virtual_server =
> "inner-tunnel"
>
> }
>
>  Module: Linked to sub-module
> rlm_eap_peap
>  Module: Instantiating
> eap-peap
>    peap
> {
>
>         default_eap_type =
> "mschapv2"
>         copy_request_to_tunnel =
> no
>         use_tunneled_reply =
> no
>         proxy_tunneled_request_as_eap =
> yes
>         virtual_server =
> "inner-tunnel"
>
> }
>
>  Module: Linked to sub-module
> rlm_eap_mschapv2
>  Module: Instantiating
> eap-mschapv2
>    mschapv2
> {
>
>         with_ntdomain_hack =
> no
>
> }
>
>  Module: Checking authorize {...} for more modules to
> load
>  Module: Linked to module
> rlm_realm
>  Module: Instantiating
> suffix
>   realm suffix
> {
>         format =
> "suffix"
>         delimiter =
> "@"
>         ignore_default =
> no
>         ignore_null =
> no
>
> }
>
>  Module: Linked to module
> rlm_files
>  Module: Instantiating
> files
>   files
> {
>
>         usersfile =
> "/etc/raddb/users"
>         acctusersfile =
> "/etc/raddb/acct_users"
>         preproxy_usersfile =
> "/etc/raddb/preproxy_users"
>         compat =
> "no"
>
> }
>
>  Module: Checking session {...} for more modules to
> load
>  Module: Linked to module
> rlm_radutmp
>  Module: Instantiating
> radutmp
>   radutmp
> {
>
>         filename =
> "/var/log/radius/radutmp"
>         username =
> "%{User-Name}"
>         case_sensitive =
> yes
>         check_with_nas =
> yes
>         perm =
> 384
>         callerid =
> yes
>
> }
>
>  Module: Checking post-proxy {...} for more modules to
> load
>  Module: Checking post-auth {...} for more modules to
> load
>  Module: Linked to module
> rlm_attr_filter
>  Module: Instantiating
> attr_filter.access_reject
>   attr_filter attr_filter.access_reject
> {
>         attrsfile =
> "/etc/raddb/attrs.access_reject"
>         key =
> "%{User-Name}"
>
> }
>
>  }
>
> }
>
>  modules
> {
>
>  Module: Checking authenticate {...} for more modules to
> load
>  Module: Checking authorize {...} for more modules to
> load
>  Module: Linked to module
> rlm_preprocess
>  Module: Instantiating
> preprocess
>   preprocess
> {
>
>         huntgroups =
> "/etc/raddb/huntgroups"
>         hints =
> "/etc/raddb/hints"
>         with_ascend_hack =
> no
>         ascend_channels_per_line =
> 23
>         with_ntdomain_hack =
> no
>         with_specialix_jetstream_hack =
> no
>         with_cisco_vsa_hack =
> no
>         with_alvarion_vsa_hack =
> no
>
> }
>
>  Module: Checking preacct {...} for more modules to
> load
>  Module: Linked to module
> rlm_acct_unique
>  Module: Instantiating acct_unique
>   acct_unique {
>         key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
>   }
>  Module: Checking accounting {...} for more modules to load
>  Module: Linked to module rlm_detail
>  Module: Instantiating detail
>   detail {
>         detailfile =
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>         header = "%t"
>         detailperm = 384
>         dirperm = 493
>         locking = no
>         log_packet_header = no
>   }
>  Module: Instantiating attr_filter.accounting_response
>   attr_filter attr_filter.accounting_response {
>         attrsfile = "/etc/raddb/attrs.accounting_response"
>         key = "%{User-Name}"
>   }
>  Module: Checking session {...} for more modules to load
>  Module: Checking post-proxy {...} for more modules to load
>  Module: Checking post-auth {...} for more modules to load
>  }
> radiusd: #### Opening IP addresses and Ports ####
> listen {
>         type = "auth"
>         ipaddr = *
>         port = 0
> }
> listen {
>         type = "acct"
>         ipaddr = *
>         port = 0
> }
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on proxy address * port 1814
> Ready to process requests.
> ^[[6~^[[6~
>
>
> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>
> Hi Ivan,
>>
>> I created the certificates basd on the README file in etc/raddb and copied
>> ca.der and client.p12 to Windows XP
>>
>> I also also made changed to the Makefile which runs on XP but when i
>> connect to the SSID i get authentication failde and the radius does not seem
>> to get any response from the Proxim AP.
>>
>>
>>
>> --
>> Devinder
>>
>
>
>
> --
> Devinder
>



-- 
Devinder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100120/148db230/attachment.html>


More information about the Freeradius-Users mailing list