EAP-TLS certificate problem

John Dennis jdennis at redhat.com
Tue Feb 19 15:42:51 CET 2013 

On 02/19/2013 09:16 AM, Muhammad Nadeem wrote:
> On 2/19/13, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> On 19/02/13 09:11, Muhammad Nadeem wrote:
>>> Hi, everybody
>>> I have used pre-shipped certificates of Freeradius for testing
>>> purpose. This testing was succeed with a test user 'bob', with files
>>> authentication.
>>> Now in the next step I wanna authenticate a user from my Database with
>>> Digital certificates. When i authenticate the user, server side
>>> confirm and send "Access-Accept" packet, but at client, following
>>> error occurs.
>>> " No Message-Authenticator attribute found
>>> Incoming RADIUS packet did not have correct Message-Authenticator -
>>> dropped
>>> STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
>>> - dropping packet"
>>>
>>> I googled this problem and found a solution that the user Auth-type is
>>> set to Accept (I manually checked the user in Database , and its
>>> Auth-Type was Accept) and this type prevent further process.
>>
>> Yes
>>
>>> Now my question is that , could I continue EAP-TLS authentication,
>>> regardless of Auth-Type is set to Accept???
>>
>> No. Don't set Auth-Type unless you know what you're doing.

Doesn't look like you actually heeded this advice does it? Hint, look at 
your select statement. You're setting the Auth-Type.

> Ok thanx,
> I suucceed to authenticate the users from a database.
> But when i setup the same setup on another machine, I was failed :(
> The following output is the debug output of the freeradius server. (I
> think EAP NAK,, is creating problems).
> [sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
> USERNAME,'Auth-Type' AS Attribute,
> AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
> FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
> USERNAME,'Auth-Type' AS Attribute,
> AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
> dual ORDER BY RC_ID
> [sql] User found in radcheck table

> Found Auth-Type = Accept
> Found Auth-Type = EAP
> Warning:  Found 2 auth-types on request for user '001AAD3F8165'

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list