<html><body bgcolor='#ffffff' style='font-size:9pt; font-family:Verdana; font-family: Verdana' ><P>Ok, the hole day i tried to get it to work but this time when i install the certificate as a machine zertifikate the radius authentifikation log ends up with this log below.</P><P>The Certificates where generated with openssl and all works fine as User certificates but not as computer zertificate. I set the Registry Patch which was diescribed in the mailing list to a value of 2. </P><P>If anyone konws why this doesnt work please mail me. </P><P>rad_recv: Access-Request packet from host 10.40.0.254:1024, id=125, length=120<BR> NAS-IP-Address = 10.40.0.254<BR> NAS-Port-Type = Ethernet<BR> Service-Type = Framed-User<BR> Message-Authenticator = 0x75b32a36b118137416c352ac114ec00c<BR> NAS-Port = 8<BR> Framed-MTU = 1490<BR> User-Name = "host/Client5"<BR> Calling-Station-Id = "00-10-5A-F7-F0-BA"<BR> EAP-Message = 0x02ff001101686f73742f436c69!
656e7435<BR> Processing the authorize section of radiusd.conf<BR>modcall: entering group authorize for request 0<BR> modcall[authorize]: module "preprocess" returns ok for request 0<BR> modcall[authorize]: module "chap" returns noop for request 0<BR> modcall[authorize]: module "mschap" returns noop for request 0<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "host/Client5", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR> modcall[authorize]: module "suffix" returns noop for request 0<BR> rlm_eap: EAP packet type response id 255 length 17<BR> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR> modcall[authorize]: module "eap" returns updated for request 0<BR> users: Matched entry DEFAULT at line 181<BR> users: Matched entry DEFAULT at line 200<BR> modcall[authorize]: module "files" returns ok for request 0!
<BR>modcall: group authorize returns updated for request 0<BR> r
ad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR> Processing the authenticate section of radiusd.conf<BR>modcall: entering group authenticate for request 0<BR> rlm_eap: EAP Identity<BR> rlm_eap: processing type tls<BR> rlm_eap_tls: Requiring client certificate<BR> rlm_eap_tls: Initiate<BR> rlm_eap_tls: Start returned 1<BR> modcall[authenticate]: module "eap" returns handled for request 0<BR>modcall: group authenticate returns handled for request 0<BR>Sending Access-Challenge of id 125 to 10.40.0.254:1024<BR> Framed-IP-Address = 255.255.255.254<BR> Framed-MTU = 576<BR> Service-Type = Framed-User<BR> EAP-Message = 0x010000060d20<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x3409168c713d79e19e09bf2f2ab092c9<BR>Finished request 0<BR>Going to the next request<BR>--- Walking the entire request list ---<BR>Waking up in 6 seconds...<BR>--- Walking the entire reque!
st list ---<BR>Cleaning up request 0 ID 125 with timestamp 430c8459<BR>Nothing to do. Sleeping until we see a request.<BR><BR>FreeRadius users mailing list <freeradius-users@lists.freeradius.org> schrieb am 24.08.05 09:52:57:<BR><BR></P><TABLE id=alt style="PADDING-LEFT: 10px; FONT-SIZE: 9pt; MARGIN-LEFT: 20px; BORDER-LEFT: blue 2px solid; FONT-FAMILY: Verdana"><TBODY><TR><TD><BR>At 12:49 23/08/05, you wrote:<BR><BR>>Hi, thanks for your email!<BR>><BR>>Ok, i tried it out but i have some problems. If i use the DWORT String you <BR>>sent me it has no efekkt. I found an other DWORT Key which Sounds <BR>>"AuthMode" and with this DWORT he only tries to authentificate with the <BR>>machine account. Maybe you have made a typing mistake in your email??<BR><BR>Whoops - You are right it was a typing mistake, it is AuthMode.<BR><BR>>Ok, but my problem ist, that when he tries to authentificate with the <BR>>Computer Account i see in the radius debugg!
ing modse that he only tried to <BR>>use the default entry in the u
ser File and not the "Client3" Entry. It <BR>>seems that he does not find the right Computer Certificate or the <BR>>Freeradius does not find the Right Entry in his user File???<BR><BR>I am new to freeRADIUS myself in order to get my system working I followed <BR>the instructions in these web pages, <BR>http://www.linuxjournal.com/article/8017, <BR>http://www.linuxjournal.com/article/8095, <BR>http://www.linuxjournal.com/article/8151.<BR><BR>It does look like a certificates problem, but then I am very new to <BR>FreeRADIUS and I spent a considerable amount of time adjusting settings to <BR>make it work.<BR><BR><BR>>This is the output from Freeradius -X -A when the DWORT "AuthMode" is set <BR>>to 2<BR>><BR>><BR>><BR>>Starting - reading configuration files ...<BR>>reread_config: reading radiusd.conf<BR>>Config: including file! : /etc/freeradius/proxy.conf<BR>>Config: including file: /etc/freeradius/clients.conf<BR>>Config: including file: /e!
tc/freeradius/snmp.conf<BR>>Config: including file: /etc/freeradius/eap.conf<BR>>Config: including file: /etc/freeradius/sql.conf<BR>> main: prefix = "/usr"<BR>> main: localstatedir = "/var"<BR>> main: logdir = "/var/log/freeradius"<BR>> main: libdir = "/usr/lib/freeradius"<BR>> main: radacctdir = "/var/log/freeradius/radacct"<BR>> main: hostname_lookups = no<BR>> main: max_request_time = 30<BR>> main: cleanup_delay = 5<BR>> main: max_requests = 1024<BR>> main: delete_blocked_requests = 0<BR>> main: port = 0<BR>> main: allow_core_dumps = no<BR>> main: log_stripped_names = no<BR>> main: log_file = "/var/log/freeradius/radius.log"<BR>> main: log_auth = no<BR>> main: log_auth_badpass = no<BR>> main: log_auth_goodpass = no<BR>> main: pidfile = "/var/! run/freeradius/freeradius.pid"<BR>> main: user = "freerad"<BR>>&nbs<BR>>p;main: group = "freerad"<BR>> main: usercollide = no<BR>> main: lower_user = "!
no"<BR>> main: lower_pass = "no"<BR>> main: nospace_user = "no"<
BR>> main: nospace_pass = "no"<BR>> main: checkrad = "/usr/sbin/checkrad"<BR>> main: proxy_requests = yes<BR>> proxy: retry_delay = 5<BR>> proxy: retry_count = 3<BR>> proxy: synchronous = no<BR>> proxy: default_fallback = yes<BR>> proxy: dead_time = 120<BR>> proxy: post_proxy_authorize = yes<BR>> proxy: wake_all_if_all_dead = no<BR>> security: max_attributes = 200<BR>> security: reject_delay = 1<BR>> security: status_server = no<BR>> main: debug_level = 0<BR>>read_config_files: reading dictionary<BR>>read_config_files: reading naslist<BR>>Using deprecated naslist file. Support for this will go away soon.<BR>>read_config_files: reading clients<BR>>read_config_files: reading realms<BR>>radiusd: entering modules setup<BR>>Module: Library ! search path is /usr/lib/freeradius<BR>>Module: Loaded exec<BR>> exec: wait = yes<BR>> exec: program = "(null)"<BR>> exec: input_pairs = "request"<BR>> exec: output_!
pairs = "(null)"<BR>> exec: packet_type = "(null)"<BR>>rlm_exec: Wait=yes but no output defined. Did you mean output=none?<BR>>Module: Instantiated exec (exec)<BR>>Module: Loaded expr<BR>>Module: Instantiated expr (expr)<BR>>Module: Loaded PAP<BR>> pap: encryption_scheme = "crypt"<BR>>Module: Instantiated pap (pap)<BR>>Module: Loaded CHAP<BR>>Module: Instantiated chap (chap)<BR>>Module: Loaded MS-CHAP<BR>> mschap: use_mppe = yes<BR>> mschap: require_encryption = no<BR>> mschap: require_strong = no<BR>> mschap: with_ntdomain_hack = no<BR>> mschap: passwd = "(null)"<BR>> mschap: authtype = "MS-CHAP"<BR>> mschap: ntlm_auth = "(null)"<BR>>Module: Instantiated mschap (mschap)<BR>>Module: Loaded System<BR>> unix: cache = no<BR>> unix: passwd = "(null)"<BR>> ! ;unix: shadow = "/etc/shadow"<BR>> unix: group = "(null)"<BR>> ;unix: radwtmp = "/var/log/freeradius/radwtmp"<BR>> unix: usegroup = no<BR>> uni!
x: cache_reload = 600<BR>>Module: Instantiated unix (unix)<BR>>M
odule: Loaded eap<BR>> eap: default_eap_type = "tls"<BR>> eap: timer_expire = 60<BR>> eap: ignore_unknown_eap_types = no<BR>> eap: cisco_accounting_username_bug = no<BR>>rlm_eap: Loaded and initialized type md5<BR>>rlm_eap: Loaded and initialized type leap<BR>> gtc: challenge = "Password: "<BR>> gtc: auth_type = "PAP"<BR>>rlm_eap: Loaded and initialized type gtc<BR>> tls: rsa_key_exchange = no<BR>> tls: dh_key_exchange = yes<BR>> tls: rsa_key_length = 512<BR>> tls: dh_key_length = 512<BR>> tls: verify_depth = 0<BR>> tls: CA_path = "(null)"<BR>> tls: pem_file_type = yes<BR>> tls: private_key_file = "/etc/ssl/certs/8021x-server.pem"<BR>> tls: certificate_file = "/etc/ssl/certs/8021x-server.pem"<BR>> tls: CA_file = "/etc/ssl/certs/root.pem"<BR>> tls: private_key_pa! ssword = "whatever"<BR>> tls: dh_file = "/etc/ssl/certs/dh"<BR>> tls: random_file = "/etc/ssl/certs/random"<BR>> tls: fragment_size = 1024<BR>>!
tls: include_length = yes<BR>> tls: check_crl = no<BR>> tls: check_cert_cn = "(null)"<BR>>rlm_eap: Loaded and initialized type tls<BR>> mschapv2: with_ntdomain_hack = no<BR>>rlm_eap: Loaded and initialized type mschapv2<BR>>Module: Instantiated eap (eap)<BR>>Module: Loaded preprocess<BR>> preprocess: huntgroups = "/etc/freeradius/huntgroups"<BR>> preprocess: hints = "/etc/freeradius/hints"<BR>> preprocess: with_ascend_hack = no<BR>> preprocess: ascend_channels_per_line = 23<BR>> preprocess: with_ntdomain_hack = no<BR>> preprocess: with_specialix_jetstream_hack = no<BR>> preprocess: with_cisco_vsa_hack = no<BR>>Module: Instantiated preprocess (preprocess)<BR>>Module: Loaded realm<BR>> realm: format = "suffix"<BR>> realm: delimiter = "@"<BR>> realm: ignore_default = no realm: ignore_null = no<BR>>Module: Instantiated realm (suffix )<BR>>Module: Loaded files<BR>> files: usersfile = "/etc/freeradius/users"<BR>&g!
t; files: acctusersfile = "/etc/freeradius/acct_users"<BR>> files:
preproxy_usersfile = "/etc/freeradius/preproxy_users"<BR>> files: compat = "no"<BR>>Module: Instantiated files (files)<BR>>Module: Loaded Acct-Unique-Session-Id<BR>> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, <BR>> Client-IP-Address, NAS-Port"<BR>>Module: Instantiated acct_unique (acct_unique)<BR>>Module: Loaded detail<BR>> detail: detailfile = <BR>> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<BR>> detail: detailperm = 384<BR>> detail: dirperm = 493<BR>> detail: locking = no<BR>>Module: Instantiated detail (detail)<BR>>Module: Loaded radutmp<BR>> radutmp: filename = "/var/log/freeradius/radutmp"<BR>> radutmp: username = "%{User-Name}"<BR>> radutmp: case_sensitive = yes<BR>> radutmp: check_with_nas = yes<BR>> radutmp: perm = 384<BR>> radutmp: ca! llerid = yes<BR>>Module: Instantiated radutmp (radutmp)<BR>>Listening on authentication *:1812<BR>>Listening on accounting!
*:1813<BR>>Listening on proxy *:1814<BR>>Ready to process requests.<BR>>rad_recv: Access-Request packet from host 10.40.0.254:1024, id=103, length=120<BR>> NAS-IP-Address = 10.40.0.254<BR>> NAS-Port-Type = Ethernet<BR>> Service-Type = Framed-User<BR>> Message-Authenticator = 0x8e013b02cf39c8b291f8a9d790f3bd6a<BR>> NAS-Port = 8<BR>> Framed-MTU = 1490<BR>> User-Name = "host/Client3"<BR>> Calling-Station-Id = "00-10-5A-F7-F0-BA"<BR>> EAP-Message = 0x02ff001101686f73742f436c69656e7433<BR>> Processing the authorize section of radiusd.conf<BR>>modcall: entering group authorize for request 0<BR>> modcall[authorize]: module "preprocess" returns ok for request 0<BR>> modcall[authorize]: module "chap" returns noop for request 0<BR>> modcall[authorize]: module "mschap" returns noop for request 0<BR>> &nbs!<BR>>p; rlm_realm: No <mailto:'@'>'@' in User-Name = "host/Cli ent3", looking <BR>>up realm NULL<BR>> rlm_re!
alm: No such realm "NULL"<BR>> modcall[authorize]: module "suffix"
returns noop for request 0<BR>> rlm_eap: EAP packet type response id 255 length 17<BR>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>> modcall[authorize]: module "eap" returns updated for request 0<BR>> users: Matched entry DEFAULT at line 181<BR>> users: Matched entry DEFAULT at line 200<BR>> modcall[authorize]: module "files" returns ok for request 0<BR>>modcall: group authorize returns updated for request 0<BR>> rad_check_password: Found Auth-Type EAP<BR>>auth: type "EAP"<BR>> Processing the authenticate section of radiusd.conf<BR>>modcall: entering group authenticate for request 0<BR>> rlm_eap: EAP Identity<BR>> rlm_eap: processing type tls<BR>> rlm_eap_tls: Requiring client certificate<BR>> rlm_eap_tls: Initiate<BR>> rlm_eap_tls: ! Start returned 1<BR>> modcall[authenticate]: module "eap" returns handled for request 0<BR>>modcall: group authenticate returns handled for request 0<BR>>Sending!
Access-Challenge of id 103 to 10.40.0.254:1024<BR>> Framed-IP-Address = 255.255.255.254<BR>> Framed-MTU = 576<BR>> Service-Type = Framed-User<BR>> EAP-Message = 0x010000060d20<BR>> Message-Authenticator = 0x00000000000000000000000000000000<BR>> State = 0x1814a65439afaa74487aa379af48ead9<BR>>Finished request 0<BR>>Going to the next request<BR>>--- Walking the entire request list ---<BR>>Waking up in 6 seconds...<BR>>--- Walking the entire request list ---<BR>>Cleaning up request 0 ID 103 with timestamp 430b0c7e<BR>>Nothing to do. Sleeping until we see a request.<BR>>rad_recv: Access-Request packet from host 10.40.0.254:1024, id=104, length=120<BR>> NAS-IP-Address = 10.40.0.254<BR>> NAS-Port-Type = Ethernet<BR>> Service-Type = Framed-User<BR>> Message-Authenticator = 0xe3868d2! de84c592e7e54eb355b23752f<BR>> NAS-Port = 8<BR>> Framed-MTU = 1490<BR>> User-Name = "host/Client3"<BR>> Calling-Station-Id = "00-10-5A!
-F7-F0-BA"<BR>> EAP-Message = 0x0201001101686f73742f436c69656e7433<
BR>> Processing the authorize section of radiusd.conf<BR>>modcall: entering group authorize for request 1<BR>> modcall[authorize]: module "preprocess" returns ok for request 1<BR>> modcall[authorize]: module "chap" returns noop for request 1<BR>> modcall[authorize]: module "mschap" returns noop for request 1<BR>> rlm_realm: No <mailto:'@'>'@' in User-Name = "host/Client3", looking <BR>> up realm NULL<BR>> rlm_realm: No such realm "NULL"<BR>> modcall[authorize]: module "suffix" returns noop for request 1<BR>> rlm_eap: EAP packet type response id 1 length 17<BR>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>> modcall[authorize]: module "eap" returns updated for request 1<BR>> users: Matched entry DEFAULT at li! ne 181<BR>> users: Matched entry DEFAULT at line 200<BR>> modcall[authorize]: module "files" returns ok for request 1<BR>>modcall: group authorize returns updated for request 1<BR>> rad_che!
ck_password: Found Auth-Type EAP<BR>>auth: type "EAP"<BR>> Processing the authenticate section of radiusd.conf<BR>>modcall: entering group authenticate for request 1<BR>><BR>><BR><BR>Fallibroome High School<BR>Priory Lane<BR>Macclesfield<BR>Cheshire<BR>SK10 4AF<BR><BR>- <BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html</TD></TR></TBODY></TABLE><BR></body></html>