You may need to add some extra configuration to your hints file:<br>
<br>
# Wireless XP devices prefix the user name with host/<br>
DEFAULT Prefix == "host/"<br>
Hint = "Wireless-Workstation"<br>
<br>
<br>
As far as I understand it, that will chop the host/ off for certain
types of processing. I'm sure Alan will brutally correct me if
I'm misleading you though :)<br>
<br>
I've personally found the XP 802.1X w. EAP/TLS to be a bit finicky to
get working - however an enterprise deployment I've been involved in
has managed to get it working reliably using FreeRADIUS and the Windows
wireless stack. There are some tricks to making machine certs get
detected reliably on Windows using undocument attributes in the
certificate. We use a custom CA and custom enrollment
applications to get the certificates loaded quickly and correctly onto
the machines / PDAs.<br>
<br>
Cheers,<br>
<br>
Ben<br>
<br>
<br><br><div><span class="gmail_quote">On 8/25/05, <b class="gmail_sendername">Armin Krämer</b> <<a href="mailto:Kraemer.Armin@web.de">Kraemer.Armin@web.de</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<p>Ok, the hole day i tried to get it to work but this time when i
install the certificate as a machine zertifikate the radius
authentifikation log ends up with this log below.</p><p>The
Certificates where generated with openssl and all works fine as User
certificates but not as computer zertificate. I set the Registry Patch
which was diescribed in the mailing list to a value of 2. </p><p>If anyone konws why this doesnt work please mail me. </p><p>rad_recv: Access-Request packet from host <a href="http://10.40.0.254:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.40.0.254:1024</a>, id=125, length=120<span class="q"><br> NAS-IP-Address = <a href="http://10.40.0.254" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.40.0.254</a><br> NAS-Port-Type = Ethernet
<br> Service-Type = Framed-User<br></span> Message-Authenticator = 0x75b32a36b118137416c352ac114ec00c<span class="q"><br> NAS-Port = 8<br> Framed-MTU = 1490<br></span> User-Name = "host/Client5"<span class="q"><br>
Calling-Station-Id = "00-10-5A-F7-F0-BA"<br></span> EAP-Message = 0x02ff001101686f73742f436c69!
656e7435<span class="q"><br> Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 0<br> modcall[authorize]: module "preprocess" returns ok for request 0<br> modcall[authorize]: module "chap" returns noop for request 0
<br> modcall[authorize]: module "mschap" returns noop for request 0<br></span> rlm_realm: No <a href="mailto:%27@%27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">'@'</a> in User-Name = "host/Client5", looking up realm NULL
<span class="q"><br> rlm_realm: No such realm "NULL"<br> modcall[authorize]: module "suffix" returns noop for request 0<br> rlm_eap: EAP packet type response id 255 length 17<br> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
<br> modcall[authorize]: module "eap" returns updated for request 0<br> users: Matched entry DEFAULT at line 181<br> users: Matched entry DEFAULT at line 200<br> modcall[authorize]: module "files" returns ok for request 0!
<br>modcall: group authorize returns updated for request 0<br></span> r
ad_check_password: Found Auth-Type EAP<span class="q"><br>auth: type "EAP"<br> Processing the authenticate section of radiusd.conf<br>modcall: entering group authenticate for request 0<br> rlm_eap: EAP Identity
<br> rlm_eap: processing type tls<br> rlm_eap_tls: Requiring client certificate<br> rlm_eap_tls: Initiate<br> rlm_eap_tls: Start returned 1<br> modcall[authenticate]: module "eap" returns handled for request 0
<br>modcall: group authenticate returns handled for request 0<br></span>Sending Access-Challenge of id 125 to <a href="http://10.40.0.254:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.40.0.254:1024
</a><span class="q"><br> Framed-IP-Address = <a href="http://255.255.255.254" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.254</a><br> Framed-MTU = 576<br> Service-Type = Framed-User<br>
EAP-Message = 0x010000060d20<br> Message-Authenticator = 0x00000000000000000000000000000000<br></span> State = 0x3409168c713d79e19e09bf2f2ab092c9<span class="q"><br>Finished request 0<br>Going to the next request<br>--- Walking the entire request list ---
<br>Waking up in 6 seconds...<br></span>--- Walking the entire reque!
st list ---<br>Cleaning up request 0 ID 125 with timestamp 430c8459<span class="q"><br>Nothing to do. Sleeping until we see a request.<br><br></span>FreeRadius users mailing list <<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
freeradius-users@lists.freeradius.org</a>> schrieb am 24.08.05 09:52:57:<br><br></p><table style="border-left: 2px solid blue; padding-left: 10px; font-size: 9pt; margin-left: 20px; font-family: Verdana;"><tbody><tr><td>
<span class="q"><br>At 12:49 23/08/05, you wrote:<br><br>>Hi, thanks for your email!<br>><br>>Ok, i tried it out but i have some problems. If i use the DWORT String you <br>>sent me it has no efekkt. I found an other DWORT Key which Sounds
<br>>"AuthMode" and with this DWORT he only tries to authentificate with the <br>>machine account. Maybe you have made a typing mistake in your email??<br><br>Whoops - You are right it was a typing mistake, it is AuthMode.
<br><br>>Ok, but my problem ist, that when he tries to authentificate with the <br></span>>Computer Account i see in the radius debugg!
ing modse that he only tried to <br>>use the default entry in the u
ser File and not the "Client3" Entry. It <span class="q"><br>>seems that he does not find the right Computer Certificate or the <br>>Freeradius does not find the Right Entry in his user File???<br><br>I am new to freeRADIUS myself in order to get my system working I followed
<br>the instructions in these web pages, <br><a href="http://www.linuxjournal.com/article/8017" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.linuxjournal.com/article/8017</a>, <br><a href="http://www.linuxjournal.com/article/8095" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.linuxjournal.com/article/8095</a>, <br><a href="http://www.linuxjournal.com/article/8151" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.linuxjournal.com/article/8151</a>.<br>
<br>It does look like a certificates problem, but then I am very new to <br>FreeRADIUS and I spent a considerable amount of time adjusting settings to <br>make it work.<br><br><br>>This is the output from Freeradius -X -A when the DWORT "AuthMode" is set
<br>>to 2<br>><br>><br>><br>>Starting - reading configuration files ...<br>>reread_config: reading radiusd.conf<br>>Config: including file! : /etc/freeradius/proxy.conf<br>>Config: including file: /etc/freeradius/clients.conf
<br></span>>Config: including file: /e!
tc/freeradius/snmp.conf<div><span class="e" id="q_105e8f22ae7d8de6_23"><br>>Config: including file: /etc/freeradius/eap.conf<br>>Config: including file: /etc/freeradius/sql.conf<br>> main: prefix = "/usr"
<br>> main: localstatedir = "/var"<br>> main: logdir = "/var/log/freeradius"<br>> main: libdir = "/usr/lib/freeradius"<br>> main: radacctdir = "/var/log/freeradius/radacct"
<br>> main: hostname_lookups = no<br>> main: max_request_time = 30<br>> main: cleanup_delay = 5<br>> main: max_requests = 1024<br>> main: delete_blocked_requests = 0<br>> main: port = 0<br>> main: allow_core_dumps = no
<br>> main: log_stripped_names = no<br>> main: log_file = "/var/log/freeradius/radius.log"<br>> main: log_auth = no<br>> main: log_auth_badpass = no<br>> main: log_auth_goodpass = no<br>> main: pidfile = "/var/! run/freeradius/freeradius.pid"
<br>> main: user = "freerad"<br>>&nbs<br>>p;main: group = "freerad"<br>> main: usercollide = no<br>> main: lower_user = "!
no"<br>> main: lower_pass = "no"<br></span></div>> main: nospace_user = "no"<
BR>> main: nospace_pass = "no"<div><span class="e" id="q_105e8f22ae7d8de6_25"><br>> main: checkrad = "/usr/sbin/checkrad"<br>> main: proxy_requests = yes<br>> proxy: retry_delay = 5<br>
> proxy: retry_count = 3<br>> proxy: synchronous = no<br>> proxy: default_fallback = yes<br>> proxy: dead_time = 120<br>> proxy: post_proxy_authorize = yes<br>> proxy: wake_all_if_all_dead = no<br>> security: max_attributes = 200
<br>> security: reject_delay = 1<br>> security: status_server = no<br>> main: debug_level = 0<br>>read_config_files: reading dictionary<br>>read_config_files: reading naslist<br>>Using deprecated naslist file. Support for this will go away soon.
<br>>read_config_files: reading clients<br>>read_config_files: reading realms<br>>radiusd: entering modules setup<br>>Module: Library ! search path is /usr/lib/freeradius<br>>Module: Loaded exec<br>> exec: wait = yes
<br>> exec: program = "(null)"<br>> exec: input_pairs = "request"<br>> exec: output_!
pairs = "(null)"<br>> exec: packet_type = "(null)"<br>>rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>>Module: Instantiated exec (exec)<br>>Module: Loaded expr<br>
>Module: Instantiated expr (expr)<br>>Module: Loaded PAP<br>> pap: encryption_scheme = "crypt"<br>>Module: Instantiated pap (pap)<br>>Module: Loaded CHAP<br>>Module: Instantiated chap (chap)<br>
>Module: Loaded MS-CHAP<br>> mschap: use_mppe = yes<br>> mschap: require_encryption = no<br>> mschap: require_strong = no<br>> mschap: with_ntdomain_hack = no<br>> mschap: passwd = "(null)"<br>
> mschap: authtype = "MS-CHAP"<br>> mschap: ntlm_auth = "(null)"<br>>Module: Instantiated mschap (mschap)<br>>Module: Loaded System<br>> unix: cache = no<br>> unix: passwd = "(null)"
<br>> ! ;unix: shadow = "/etc/shadow"<br>> unix: group = "(null)"<br>> ;unix: radwtmp = "/var/log/freeradius/radwtmp"<br>> unix: usegroup = no<br></span></div>> uni!
x: cache_reload = 600<br>>Module: Instantiated unix (unix)<br>>M
odule: Loaded eap<div><span class="e" id="q_105e8f22ae7d8de6_27"><br>> eap: default_eap_type = "tls"<br>> eap: timer_expire = 60<br>> eap: ignore_unknown_eap_types = no<br>> eap: cisco_accounting_username_bug = no
<br>>rlm_eap: Loaded and initialized type md5<br>>rlm_eap: Loaded and initialized type leap<br>> gtc: challenge = "Password: "<br>> gtc: auth_type = "PAP"<br>>rlm_eap: Loaded and initialized type gtc
<br>> tls: rsa_key_exchange = no<br>> tls: dh_key_exchange = yes<br>> tls: rsa_key_length = 512<br>> tls: dh_key_length = 512<br>> tls: verify_depth = 0<br>> tls: CA_path = "(null)"<br>> tls: pem_file_type = yes
<br>> tls: private_key_file = "/etc/ssl/certs/8021x-server.pem"<br>> tls: certificate_file = "/etc/ssl/certs/8021x-server.pem"<br>> tls: CA_file = "/etc/ssl/certs/root.pem"<br>> tls: private_key_pa! ssword = "whatever"
<br>> tls: dh_file = "/etc/ssl/certs/dh"<br>> tls: random_file = "/etc/ssl/certs/random"<br>> tls: fragment_size = 1024<br>>!
tls: include_length = yes<br>> tls: check_crl = no<br>> tls: check_cert_cn = "(null)"<br>>rlm_eap: Loaded and initialized type tls<br>> mschapv2: with_ntdomain_hack = no<br>>rlm_eap: Loaded and initialized type mschapv2
<br>>Module: Instantiated eap (eap)<br>>Module: Loaded preprocess<br>> preprocess: huntgroups = "/etc/freeradius/huntgroups"<br>> preprocess: hints = "/etc/freeradius/hints"<br>> preprocess: with_ascend_hack = no
<br>> preprocess: ascend_channels_per_line = 23<br>> preprocess: with_ntdomain_hack = no<br>> preprocess: with_specialix_jetstream_hack = no<br>> preprocess: with_cisco_vsa_hack = no<br>>Module: Instantiated preprocess (preprocess)
<br>>Module: Loaded realm<br>> realm: format = "suffix"<br>> realm: delimiter = "@"<br>> realm: ignore_default = no realm: ignore_null = no<br>>Module: Instantiated realm (suffix )<br>>Module: Loaded files
<br>> files: usersfile = "/etc/freeradius/users"<br></span></div>&g!
t; files: acctusersfile = "/etc/freeradius/acct_users"<div><span class="e" id="q_105e8f22ae7d8de6_29"><br>> files:
preproxy_usersfile = "/etc/freeradius/preproxy_users"<br>> files: compat = "no"<br>>Module: Instantiated files (files)<br>>Module: Loaded Acct-Unique-Session-Id<br>> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
<br>> Client-IP-Address, NAS-Port"<br>>Module: Instantiated acct_unique (acct_unique)<br>>Module: Loaded detail<br>> detail: detailfile = <br>> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
<br>> detail: detailperm = 384<br>> detail: dirperm = 493<br>> detail: locking = no<br>>Module: Instantiated detail (detail)<br>>Module: Loaded radutmp<br>> radutmp: filename = "/var/log/freeradius/radutmp"
<br>> radutmp: username = "%{User-Name}"<br>> radutmp: case_sensitive = yes<br>> radutmp: check_with_nas = yes<br>> radutmp: perm = 384<br>> radutmp: ca! llerid = yes<br>>Module: Instantiated radutmp (radutmp)
<br>>Listening on authentication *:1812<br>>Listening on accounting!
*:1813<br>>Listening on proxy *:1814<br>>Ready to process requests.<br>>rad_recv: Access-Request packet from host <a href="http://10.40.0.254:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.40.0.254:1024</a>, id=103, length=120<br>> NAS-IP-Address = <a href="http://10.40.0.254" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.40.0.254</a><br>> NAS-Port-Type = Ethernet<br>> Service-Type = Framed-User
<br>> Message-Authenticator = 0x8e013b02cf39c8b291f8a9d790f3bd6a<br>> NAS-Port = 8<br>> Framed-MTU = 1490<br>> User-Name = "host/Client3"<br>> Calling-Station-Id = "00-10-5A-F7-F0-BA"<br>
> EAP-Message = 0x02ff001101686f73742f436c69656e7433<br>> Processing the authorize section of radiusd.conf<br>>modcall: entering group authorize for request 0<br>> modcall[authorize]: module "preprocess" returns ok for request 0
<br>> modcall[authorize]: module "chap" returns noop for request 0<br>> modcall[authorize]: module "mschap" returns noop for request 0<br>> &nbs!<br>>p; rlm_realm: No <mailto:'@'>'@' in User-Name = "host/Cli ent3", looking
<br>>up realm NULL<br></span></div>> rlm_re!
alm: No such realm "NULL"<div><span class="e" id="q_105e8f22ae7d8de6_31"><br>> modcall[authorize]: module "suffix"
returns noop for request 0<br>> rlm_eap: EAP packet type response id 255 length 17<br>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>> modcall[authorize]: module "eap" returns updated for request 0
<br>> users: Matched entry DEFAULT at line 181<br>> users: Matched entry DEFAULT at line 200<br>> modcall[authorize]: module "files" returns ok for request 0<br>>modcall: group authorize returns updated for request 0
<br>> rad_check_password: Found Auth-Type EAP<br>>auth: type "EAP"<br>> Processing the authenticate section of radiusd.conf<br>>modcall: entering group authenticate for request 0<br>> rlm_eap: EAP Identity
<br>> rlm_eap: processing type tls<br>> rlm_eap_tls: Requiring client certificate<br>> rlm_eap_tls: Initiate<br>> rlm_eap_tls: ! Start returned 1<br>> modcall[authenticate]: module "eap" returns handled for request 0
<br>>modcall: group authenticate returns handled for request 0<br>>Sending!
Access-Challenge of id 103 to <a href="http://10.40.0.254:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.40.0.254:1024</a><br>> Framed-IP-Address = <a href="http://255.255.255.254" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
255.255.255.254</a><br>> Framed-MTU = 576<br>> Service-Type = Framed-User<br>> EAP-Message = 0x010000060d20<br>> Message-Authenticator = 0x00000000000000000000000000000000<br>> State = 0x1814a65439afaa74487aa379af48ead9
<br>>Finished request 0<br>>Going to the next request<br>>--- Walking the entire request list ---<br>>Waking up in 6 seconds...<br>>--- Walking the entire request list ---<br>>Cleaning up request 0 ID 103 with timestamp 430b0c7e
<br>>Nothing to do. Sleeping until we see a request.<br>>rad_recv: Access-Request packet from host <a href="http://10.40.0.254:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.40.0.254:1024
</a>, id=104, length=120<br>> NAS-IP-Address = <a href="http://10.40.0.254" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.40.0.254</a><br>> NAS-Port-Type = Ethernet<br>> Service-Type = Framed-User
<br>> Message-Authenticator = 0xe3868d2! de84c592e7e54eb355b23752f<br>> NAS-Port = 8<br>> Framed-MTU = 1490<br>> User-Name = "host/Client3"<br>> Calling-Station-Id = "00-10-5A!
-F7-F0-BA"<br></span></div>> EAP-Message = 0x0201001101686f73742f436c69656e7433<
BR>> Processing the authorize section of radiusd.conf<span class="q"><br>>modcall: entering group authorize for request 1<br>> modcall[authorize]: module "preprocess" returns ok for request 1<br>> modcall[authorize]: module "chap" returns noop for request 1
<br>> modcall[authorize]: module "mschap" returns noop for request 1<br>> rlm_realm: No <mailto:'@'>'@' in User-Name = "host/Client3", looking <br>> up realm NULL<br>> rlm_realm: No such realm "NULL"
<br>> modcall[authorize]: module "suffix" returns noop for request 1<br>> rlm_eap: EAP packet type response id 1 length 17<br>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>> modcall[authorize]: module "eap" returns updated for request 1
<br>> users: Matched entry DEFAULT at li! ne 181<br>> users: Matched entry DEFAULT at line 200<br>> modcall[authorize]: module "files" returns ok for request 1<br>>modcall: group authorize returns updated for request 1
<br></span>> rad_che!
ck_password: Found Auth-Type EAP<span class="q"><br>>auth: type "EAP"<br>> Processing the authenticate section of radiusd.conf<br>>modcall: entering group authenticate for request 1<br>><br>><br>
<br>Fallibroome High School<br>Priory Lane<br>Macclesfield<br>Cheshire<br>SK10 4AF<br><br>- <br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.freeradius.org/list/users.html</a></span></td></tr></tbody></table><br>
<br>-<br>List info/subscribe/unsubscribe? See <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br><br>
</blockquote></div><br>