<html><body bgcolor='#ffffff' style='font-size:9pt; font-family:Verdana; font-family: Verdana' ><P>Hi, thanks for your email!</P><P>Ok, i tried it out but i have some problems. If i use the DWORT String you sent me it has no efekkt. I found an other DWORT Key which Sounds "AuthMode" and with this DWORT he only tries to authentificate with the machine account. Maybe you have made a typing mistake in your email?? Ok, but my problem ist, that when he tries to authentificate with the Computer Account i see in the radius debugging modse that he only tried to use the default entry in the user File and not the "Client3" Entry. It seems that he does not find the right Computer Certificate or the Freeradius does not find the Right Entry in his user File??? </P><P>This is the output from Freeradius -X -A when the DWORT "AuthMode" is set to 2 </P><P> </P><P>Starting - reading configuration files ...<BR>reread_config: reading radiusd.conf<BR>Config: including file!
: /etc/freeradius/proxy.conf<BR>Config: including file: /etc/freeradius/clients.conf<BR>Config: including file: /etc/freeradius/snmp.conf<BR>Config: including file: /etc/freeradius/eap.conf<BR>Config: including file: /etc/freeradius/sql.conf<BR> main: prefix = "/usr"<BR> main: localstatedir = "/var"<BR> main: logdir = "/var/log/freeradius"<BR> main: libdir = "/usr/lib/freeradius"<BR> main: radacctdir = "/var/log/freeradius/radacct"<BR> main: hostname_lookups = no<BR> main: max_request_time = 30<BR> main: cleanup_delay = 5<BR> main: max_requests = 1024<BR> main: delete_blocked_requests = 0<BR> main: port = 0<BR> main: allow_core_dumps = no<BR> main: log_stripped_names = no<BR> main: log_file = "/var/log/freeradius/radius.log"<BR> main: log_auth = no<BR> main: log_auth_badpass = no<BR> main: log_auth_goodpass = no<BR> main: pidfile = "/var/!
run/freeradius/freeradius.pid"<BR> main: user = "freerad"<BR>&nbs
p;main: group = "freerad"<BR> main: usercollide = no<BR> main: lower_user = "no"<BR> main: lower_pass = "no"<BR> main: nospace_user = "no"<BR> main: nospace_pass = "no"<BR> main: checkrad = "/usr/sbin/checkrad"<BR> main: proxy_requests = yes<BR> proxy: retry_delay = 5<BR> proxy: retry_count = 3<BR> proxy: synchronous = no<BR> proxy: default_fallback = yes<BR> proxy: dead_time = 120<BR> proxy: post_proxy_authorize = yes<BR> proxy: wake_all_if_all_dead = no<BR> security: max_attributes = 200<BR> security: reject_delay = 1<BR> security: status_server = no<BR> main: debug_level = 0<BR>read_config_files: reading dictionary<BR>read_config_files: reading naslist<BR>Using deprecated naslist file. Support for this will go away soon.<BR>read_config_files: reading clients<BR>read_config_files: reading realms<BR>radiusd: entering modules setup<BR>Module: Library !
search path is /usr/lib/freeradius<BR>Module: Loaded exec <BR> exec: wait = yes<BR> exec: program = "(null)"<BR> exec: input_pairs = "request"<BR> exec: output_pairs = "(null)"<BR> exec: packet_type = "(null)"<BR>rlm_exec: Wait=yes but no output defined. Did you mean output=none?<BR>Module: Instantiated exec (exec) <BR>Module: Loaded expr <BR>Module: Instantiated expr (expr) <BR>Module: Loaded PAP <BR> pap: encryption_scheme = "crypt"<BR>Module: Instantiated pap (pap) <BR>Module: Loaded CHAP <BR>Module: Instantiated chap (chap) <BR>Module: Loaded MS-CHAP <BR> mschap: use_mppe = yes<BR> mschap: require_encryption = no<BR> mschap: require_strong = no<BR> mschap: with_ntdomain_hack = no<BR> mschap: passwd = "(null)"<BR> mschap: authtype = "MS-CHAP"<BR> mschap: ntlm_auth = "(null)"<BR>Module: Instantiated mschap (mschap) <BR>Module: Loaded System <BR> unix: cache = no<BR> unix: passwd = "(null)"<BR> !
;unix: shadow = "/etc/shadow"<BR> unix: group = "(null)"<BR> 
;unix: radwtmp = "/var/log/freeradius/radwtmp"<BR> unix: usegroup = no<BR> unix: cache_reload = 600<BR>Module: Instantiated unix (unix) <BR>Module: Loaded eap <BR> eap: default_eap_type = "tls"<BR> eap: timer_expire = 60<BR> eap: ignore_unknown_eap_types = no<BR> eap: cisco_accounting_username_bug = no<BR>rlm_eap: Loaded and initialized type md5<BR>rlm_eap: Loaded and initialized type leap<BR> gtc: challenge = "Password: "<BR> gtc: auth_type = "PAP"<BR>rlm_eap: Loaded and initialized type gtc<BR> tls: rsa_key_exchange = no<BR> tls: dh_key_exchange = yes<BR> tls: rsa_key_length = 512<BR> tls: dh_key_length = 512<BR> tls: verify_depth = 0<BR> tls: CA_path = "(null)"<BR> tls: pem_file_type = yes<BR> tls: private_key_file = "/etc/ssl/certs/8021x-server.pem"<BR> tls: certificate_file = "/etc/ssl/certs/8021x-server.pem"<BR> tls: CA_file = "/etc/ssl/certs/root.pem"<BR> tls: private_key_pa!
ssword = "whatever"<BR> tls: dh_file = "/etc/ssl/certs/dh"<BR> tls: random_file = "/etc/ssl/certs/random"<BR> tls: fragment_size = 1024<BR> tls: include_length = yes<BR> tls: check_crl = no<BR> tls: check_cert_cn = "(null)"<BR>rlm_eap: Loaded and initialized type tls<BR> mschapv2: with_ntdomain_hack = no<BR>rlm_eap: Loaded and initialized type mschapv2<BR>Module: Instantiated eap (eap) <BR>Module: Loaded preprocess <BR> preprocess: huntgroups = "/etc/freeradius/huntgroups"<BR> preprocess: hints = "/etc/freeradius/hints"<BR> preprocess: with_ascend_hack = no<BR> preprocess: ascend_channels_per_line = 23<BR> preprocess: with_ntdomain_hack = no<BR> preprocess: with_specialix_jetstream_hack = no<BR> preprocess: with_cisco_vsa_hack = no<BR>Module: Instantiated preprocess (preprocess) <BR>Module: Loaded realm <BR> realm: format = "suffix"<BR> realm: delimiter = "@"<BR> realm: ignore_default = no<!
BR> realm: ignore_null = no<BR>Module: Instantiated realm (suffix
) <BR>Module: Loaded files <BR> files: usersfile = "/etc/freeradius/users"<BR> files: acctusersfile = "/etc/freeradius/acct_users"<BR> files: preproxy_usersfile = "/etc/freeradius/preproxy_users"<BR> files: compat = "no"<BR>Module: Instantiated files (files) <BR>Module: Loaded Acct-Unique-Session-Id <BR> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<BR>Module: Instantiated acct_unique (acct_unique) <BR>Module: Loaded detail <BR> detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<BR> detail: detailperm = 384<BR> detail: dirperm = 493<BR> detail: locking = no<BR>Module: Instantiated detail (detail) <BR>Module: Loaded radutmp <BR> radutmp: filename = "/var/log/freeradius/radutmp"<BR> radutmp: username = "%{User-Name}"<BR> radutmp: case_sensitive = yes<BR> radutmp: check_with_nas = yes<BR> radutmp: perm = 384<BR> radutmp: ca!
llerid = yes<BR>Module: Instantiated radutmp (radutmp) <BR>Listening on authentication *:1812<BR>Listening on accounting *:1813<BR>Listening on proxy *:1814<BR>Ready to process requests.<BR>rad_recv: Access-Request packet from host 10.40.0.254:1024, id=103, length=120<BR> NAS-IP-Address = 10.40.0.254<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Message-Authenticator = 0x8e013b02cf39c8b291f8a9d790f3bd6a<BR> NAS-Port = 8<BR> Framed-MTU = 1490<BR> User-Name = "host/Client3"<BR> Calling-Station-Id = "00-10-5A-F7-F0-BA"<BR> EAP-Message = 0x02ff001101686f73742f436c69656e7433<BR> Processing the authorize section of radiusd.conf<BR>modcall: entering group authorize for request 0<BR> modcall[authorize]: module "preprocess" returns ok for request 0<BR> modcall[authorize]: module "chap" returns noop for request 0<BR> modcall[authorize]: module "mschap" returns noop for request 0<BR> &nbs!
p; rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "host/Cli
ent3", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR> modcall[authorize]: module "suffix" returns noop for request 0<BR> rlm_eap: EAP packet type response id 255 length 17<BR> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR> modcall[authorize]: module "eap" returns updated for request 0<BR> users: Matched entry DEFAULT at line 181<BR> users: Matched entry DEFAULT at line 200<BR> modcall[authorize]: module "files" returns ok for request 0<BR>modcall: group authorize returns updated for request 0<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR> Processing the authenticate section of radiusd.conf<BR>modcall: entering group authenticate for request 0<BR> rlm_eap: EAP Identity<BR> rlm_eap: processing type tls<BR> rlm_eap_tls: Requiring client certificate<BR> rlm_eap_tls: Initiate<BR> rlm_eap_tls: !
Start returned 1<BR> modcall[authenticate]: module "eap" returns handled for request 0<BR>modcall: group authenticate returns handled for request 0<BR>Sending Access-Challenge of id 103 to 10.40.0.254:1024<BR> Framed-IP-Address = 255.255.255.254<BR> Framed-MTU = 576<BR> Service-Type = Framed-User<BR> EAP-Message = 0x010000060d20<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x1814a65439afaa74487aa379af48ead9<BR>Finished request 0<BR>Going to the next request<BR>--- Walking the entire request list ---<BR>Waking up in 6 seconds...<BR>--- Walking the entire request list ---<BR>Cleaning up request 0 ID 103 with timestamp 430b0c7e<BR>Nothing to do. Sleeping until we see a request.<BR>rad_recv: Access-Request packet from host 10.40.0.254:1024, id=104, length=120<BR> NAS-IP-Address = 10.40.0.254<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Message-Authenticator = 0xe3868d2!
de84c592e7e54eb355b23752f<BR> NAS-Port = 8<BR> Framed-MTU =
1490<BR> User-Name = "host/Client3"<BR> Calling-Station-Id = "00-10-5A-F7-F0-BA"<BR> EAP-Message = 0x0201001101686f73742f436c69656e7433<BR> Processing the authorize section of radiusd.conf<BR>modcall: entering group authorize for request 1<BR> modcall[authorize]: module "preprocess" returns ok for request 1<BR> modcall[authorize]: module "chap" returns noop for request 1<BR> modcall[authorize]: module "mschap" returns noop for request 1<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "host/Client3", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR> modcall[authorize]: module "suffix" returns noop for request 1<BR> rlm_eap: EAP packet type response id 1 length 17<BR> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR> modcall[authorize]: module "eap" returns updated for request 1<BR> users: Matched entry DEFAULT at li!
ne 181<BR> users: Matched entry DEFAULT at line 200<BR> modcall[authorize]: module "files" returns ok for request 1<BR>modcall: group authorize returns updated for request 1<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR> Processing the authenticate section of radiusd.conf<BR>modcall: entering group authenticate for request 1<BR></P><P> </P><P>FreeRadius users mailing list <freeradius-users@lists.freeradius.org> schrieb am 23.08.05 09:15:13:<BR><BR></P><TABLE id=alt style="PADDING-LEFT: 10px; FONT-SIZE: 9pt; MARGIN-LEFT: 20px; BORDER-LEFT: blue 2px solid; FONT-FAMILY: Verdana"><TBODY><TR><TD><BR>At 16:26 22/08/05, you wrote:<BR>>Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS<BR>>Authentifikation. But I cant get logon to my Domain Controller when<BR>>themachines boot up.. Ok, I know this Problem is not new, but is there any<BR>>chance to solve this problem without !
additional software like AEGIS?? Or is<BR>>there an other Software
for Windows XP and or 2000 which is free from<BR>>license? And is itpossible to set a default vlan group where the Domain<BR>>Controller exists and all Clients firstly get in and later change the<BR>>VLANID??? Would this be possible and how would it work?<BR>><BR>>Greetings Armin<BR><BR>I have managed to do this by three different routes.<BR><BR>1. Use the Microsoft built in wireless client. To do this you need to use <BR>mmc and the certificate plug in to install a CA certificate & personal <BR>certificate for the local machine. Create a wireless profile in XP which <BR>connects to your network using the CA certificate you installed. Then add a <BR>DWORD registry entry AuthType with a value of 2 to <BR>HKLMSOFTWAREMicrosoftEAPOLParametersGeneralGlobal. This causes XP to <BR>use the machine account to authenticate to the network. This only uses the <BR>machine account to authenticate against the network, at no time does it use <BR>the users account. Other !
values to use are 0 - Use the default XP <BR>authentication, 1 - Always perform user authentication when a user logs on, <BR>2 - Perform computer authentication only.<BR><BR>2. As above, but don't add the registry entry. This time the machine will <BR>authenticate itself to the network before logon which allows the computer <BR>to see the network and the domain. Once the user logs on to the domain the <BR>connection is lost and the user account is then used to authenticate <BR>against the network. The problem here is that unless the user also has a <BR>valid personal certificate the authentication fails. This means going round <BR>to each user and installing a certificate, unless you can do it via Active <BR>Directory, we are using a Samba PDC here so that is not possible. I decided <BR>against this option with having 1500 potential users.<BR><BR>3. If you are using Intel wireless cards download the full version of the <BR>ProSet drivers, mine were 2200BG. This allows for d!
ifferent profiles which <BR>work as the machine before logon, or durin
g logon to validate the user <BR>against the network. It also adds TTLS as well as TLS. There is a problem <BR>with this software if you are using roaming profiles. During logoff the <BR>network connection is dropped and it is impossible to upload the profile to <BR>the servers. According to Intel this is a know problem and at this time <BR>they have not replied to say if there is going to be a fix for it. This <BR>method worked very well upto the point of saving the profile, it is also <BR>much easier to distribute the settings to other machine using the profile <BR>import feature the ProSet drivers provide.<BR><BR>Steve Atkinson<BR>Deputy Network Manager<BR><BR>Fallibroome High School<BR>Priory Lane<BR>Macclesfield<BR>Cheshire<BR>SK10 4AF<BR><BR>- <BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html</TD></TR></TBODY></TABLE><BR></body></html>