<html><body bgcolor='#ffffff' style='font-size:9pt; font-family:Verdana; font-family: Verdana' ><P>Hi, i found this thred yesterday and tried it out to add this OID but it had no effekt...OK maybe i made somthing wrong. Could you describe how you added this oid to your machine zertifikate? Today i built completely new root,server and client certificates depending on the article in <A href="http://www.linuxjournal.com/article/8095">www.linuxjournal.com/article/8095</A>. </P><P>I will post here my users file: My new generated Client Certifikates uses client10 as Client Name.</P><P>Greetings Armin</P><P> </P><PRE>## Please read the documentation file ../doc/processing_users_file,# or 'man 5 users' (after installing the server) for more information.## This file contains authentication security and configuration# information for each user. Accounting requests are NOT processed# through this file. Instead, see 'acct_users', in this directory.## The first field is the !
user's name and can be up to# 253 characters in length. This is followed (on the same line) with# the list of authentication requirements for that user. This can# include password, comm server name, comm server port number, protocol# type (perhaps set by the "hints" file), and huntgroup name (set by# the "huntgroups" file).## If you are not sure why a particular reply is being sent by the# server, then run the server in debugging mode (radiusd -X), and# you will see which entries in this file are matched.## When an authentication request is received from the comm server,# these values are tested. Only the first match is used unless the# "Fall-Through" variable is set to "Yes".## A special user named "DEFAULT" matches on all usernames.# You can have several DEFAULT entries. All entries are processed# in the order they appear in this file. The first entry that# matches the login-request will stop processing unless you use# the Fall-Through variable.## If you use the databas!
e support to turn this file into a .db or .dbm# file, the DEFAULT entr
ies _have_ to be at the end of this file and# you can't have multiple entries for one username.## You don't need to specify a password if you set Auth-Type += System# on the list of authentication requirements. The RADIUS server# will then check the system password file.## Indented (with the tab character) lines following the first# line indicate the configuration values to be passed back to# the comm server to allow the initiation of a user session.# This can include things like the PPP configuration values# or the host to log the user onto.## You can include another `users' file with `$INCLUDE users.other'### For a list of RADIUS attributes, and links to their definitions,# see:## http://www.freeradius.org/rfc/attributes.html### Deny access for a specific user. Note that this entry MUST# be before any other 'Auth-Type' attribute which results in the user# being authenticated.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional r!
esources.##lameuser Auth-Type := Reject# Reply-Message = "Your account has been disabled."## Deny access for a group of users.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional resources.##DEFAULT Group == "disabled", Auth-Type := Reject# Reply-Message = "Your account has been disabled."### This is a complete entry for "steve". Note that there is no Fall-Through# entry so that no DEFAULT entry will be used, and the user will NOT# get any attributes in addition to the ones listed here.##steve Auth-Type := Local, User-Password == "testing"# Service-Type = Framed-User,# Framed-Protocol = PPP,# Framed-IP-Address = 172.16.3.33,# Framed-IP-Netmask = 255.255.255.0,# Framed-Routing = Broadcast-Listen,# Framed-Filter-Id = "std.ppp",# Framed-MTU = 1500,# Framed-Compression = Van-Jacobsen-TCP-IP#test Auth-Type := Local, User-Password == "testing"# Service-Type = Framed-User,# Framed-Protocol = PPP,# Framed-IP-Address = 172.16.3.33,# Fra!
med-IP-Netmask = 255.255.255.0,# Framed-Routing = Broadcast-Listen,# F
ramed-Filter-Id = "std.ppp",# Framed-MTU = 1500,# Framed-Compression = Van-Jacobsen-TCP-IP#DEFAULT Auth-Type := EAP-TLS #Local, User-Password == "whatever"# Reply-Message = "Default Client",# Tunnel-Medium-Type = 6,# Tunnel-Private-Group-Id = 1,# Tunnel-Type = 13Client1 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Hello,%u Willkommen im Netzwerk der Firma Metaldyne", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13host/Client10 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Client10", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13Workstation3 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "client3", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13## This is an entry for a user with a space in their name.# Note !
the double quotes surrounding the name.##"John Doe" Auth-Type := Local, User-Password == "hello"# Reply-Message = "Hello, %u"## Dial user back and telnet to the default host for that port##Deg Auth-Type := Local, User-Password == "ge55ged"# Service-Type = Callback-Login-User,# Login-IP-Host = 0.0.0.0,# Callback-Number = "9,5551212",# Login-Service = Telnet,# Login-TCP-Port = Telnet## Another complete entry. After the user "dialbk" has logged in, the# connection will be broken and the user will be dialed back after which# he will get a connection to the host "timeshare1".##dialbk Auth-Type := Local, User-Password == "callme"# Service-Type = Callback-Login-User,# Login-IP-Host = timeshare1,# Login-Service = PortMaster,# Callback-Number = "9,1-800-555-1212"## user "swilson" will only get a static IP number if he logs in with# a framed protocol on a terminal server in Alphen (see the huntgroups file).## Note that by setting "Fall-Through", other attributes will be added from# !
the following DEFAULT entries##swilson Service-Type == Framed-User, Hu
ntgroup-Name == "alphen"# Framed-IP-Address = 192.168.1.65,# Fall-Through = Yes## If the user logs in as 'username.shell', then authenticate them# against the system database, give them shell access, and stop processing# the rest of the file.##DEFAULT Suffix == ".shell", Auth-Type := System# Service-Type = Login-User,# Login-Service = Telnet,# Login-IP-Host = your.shell.machine## The rest of this file contains the several DEFAULT entries.# DEFAULT entries match with all login names.# Note that DEFAULT entries can also Fall-Through (see first entry).# A name-value pair from a DEFAULT entry will _NEVER_ override# an already existing name-value pair.### First setup all accounts to be checked against the UNIX /etc/passwd.# (Unless a password was already given earlier in this file).##DEFAULT Auth-Type = System# Fall-Through = 1## Set up different IP address pools for the terminal servers.# Note that the "+" behind the IP address means that this is the "base"# IP address. The!
Port-Id (S0, S1 etc) will be added to it.##DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"# Framed-IP-Address = 192.168.1.32+,# Fall-Through = Yes#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"# Framed-IP-Address = 192.168.2.32+,# Fall-Through = Yes## Defaults for all framed connections.#DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes## Default for PPP: dynamic IP address, PPP mode, VJ-compression.# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected# by the terminal server in which case there may not be a "P" suffix.# The terminal server sends "Framed-Protocol = PPP" for auto PPP.#DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP## Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.#DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP#!
# Default for SLIP: dynamic IP address, SLIP mode.#DEFAULT Hint == "SL
IP" Framed-Protocol = SLIP## Last default: rlogin to our main server.##DEFAULT# Service-Type = Login-User,# Login-Service = Rlogin,# Login-IP-Host = shellbox.ispdomain.com# ## # Last default: shell on the local terminal server.# ## DEFAULT# Service-Type = Shell-User# On no match, the user is denied access.</PRE><P><BR> </P><P>FreeRadius users mailing list <freeradius-users@lists.freeradius.org> schrieb am 25.08.05 13:28:44:<BR><BR></P><TABLE id=alt style="PADDING-LEFT: 10px; FONT-SIZE: 9pt; MARGIN-LEFT: 20px; BORDER-LEFT: blue 2px solid; FONT-FAMILY: Verdana"><TBODY><TR><TD><BR>I also found using machine certificates to be hit and miss (some<BR>machines they'd be picked up, others they wouldn't - all XP SP2 with<BR>appropriate patches).<BR><BR>And then I stumbled on this<BR><BR>http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html<BR><BR>1.3.6.1.4.1.311.17.2<BR><BR>After I started adding that OID to my machine certs, everything<BR>started worki!
ng wonderfully.<BR><BR>I shook my fist at Microsoft that day!<BR><BR>Cheers,<BR><BR>Ben<BR>On 8/25/05, Steven Atkinson <atn@fallibroome.cheshire.sch.uk> wrote:<BR>> Armin,<BR>> <BR>> At 15:40 24/08/05, you wrote:<BR>> <BR>> >Ok, the hole day i tried to get it to work but this time when i install<BR>> >the certificate as a machine zertifikate the radius authentifikation log<BR>> >ends up with this log below.<BR>> ><BR>> >The Certificates where generated with openssl and all works fine as User<BR>> >certificates but not as computer zertificate. I set the Registry Patch<BR>> >which was diescribed in the mailing list to a value of 2.<BR>> <BR>> As Ben has suggested in another email, there are some required extensions<BR>> to the certificates to enable Windows to authenticate. How did you make<BR>> your certificates, I followed the instructions in<BR>> http://www.linuxjournal.com/article/8095.<BR>> <BR!
>> Steve Atkinson<BR>> <BR>> <BR>> Fallibroome High School
<BR>> Priory Lane<BR>> Macclesfield<BR>> Cheshire<BR>> SK10 4AF<BR>> <BR>> -<BR>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR>><BR><BR>- <BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html</TD></TR></TBODY></TABLE><BR></body></html>