<br><font size=2 face="sans-serif">Hello</font>
<br>
<br><font size=2 face="sans-serif">I've got a problem with my eap-tls configuration
: the server is accepting the device ( rad_check_password: Auth-Type
= Accept, accepting the user), but it doesn't connect to the to access-point
(HP Procurve). The server is a virtual Suse linux enterprise and the client
is windows XP sp 3.</font>
<br>
<br><font size=2 face="sans-serif">Any help would be great....</font>
<br>
<br><font size=2 face="sans-serif">Here is the output on the server: </font>
<br>
<br><font size=2 face="sans-serif">Starting - reading configuration files
...</font>
<br><font size=2 face="sans-serif">reread_config: reading radiusd.conf</font>
<br><font size=2 face="sans-serif">Config: including file: /etc/raddb/proxy.conf</font>
<br><font size=2 face="sans-serif">Config: including file: /etc/raddb/clients.conf</font>
<br><font size=2 face="sans-serif">Config: including file: /etc/raddb/snmp.conf</font>
<br><font size=2 face="sans-serif">Config: including file: /etc/raddb/eap.conf</font>
<br><font size=2 face="sans-serif">Config: including file: /etc/raddb/sql.conf</font>
<br><font size=2 face="sans-serif"> main: prefix = "/usr"</font>
<br><font size=2 face="sans-serif"> main: localstatedir = "/var"</font>
<br><font size=2 face="sans-serif"> main: logdir = "/var/log/radius"</font>
<br><font size=2 face="sans-serif"> main: libdir = "/usr/lib/freeradius"</font>
<br><font size=2 face="sans-serif"> main: radacctdir = "/var/log/radius/radacct"</font>
<br><font size=2 face="sans-serif"> main: hostname_lookups = no</font>
<br><font size=2 face="sans-serif"> main: max_request_time = 30</font>
<br><font size=2 face="sans-serif"> main: cleanup_delay = 5</font>
<br><font size=2 face="sans-serif"> main: max_requests = 1024</font>
<br><font size=2 face="sans-serif"> main: delete_blocked_requests
= 0</font>
<br><font size=2 face="sans-serif"> main: port = 0</font>
<br><font size=2 face="sans-serif"> main: allow_core_dumps = no</font>
<br><font size=2 face="sans-serif"> main: log_stripped_names = no</font>
<br><font size=2 face="sans-serif"> main: log_file = "/var/log/radius/radius.log"</font>
<br><font size=2 face="sans-serif"> main: log_auth = no</font>
<br><font size=2 face="sans-serif"> main: log_auth_badpass = no</font>
<br><font size=2 face="sans-serif"> main: log_auth_goodpass = no</font>
<br><font size=2 face="sans-serif"> main: pidfile = "/var/run/radiusd/radiusd.pid"</font>
<br><font size=2 face="sans-serif"> main: user = "(null)"</font>
<br><font size=2 face="sans-serif"> main: group = "(null)"</font>
<br><font size=2 face="sans-serif"> main: usercollide = no</font>
<br><font size=2 face="sans-serif"> main: lower_user = "no"</font>
<br><font size=2 face="sans-serif"> main: lower_pass = "no"</font>
<br><font size=2 face="sans-serif"> main: nospace_user = "no"</font>
<br><font size=2 face="sans-serif"> main: nospace_pass = "no"</font>
<br><font size=2 face="sans-serif"> main: checkrad = "/usr/sbin/checkrad"</font>
<br><font size=2 face="sans-serif"> main: proxy_requests = yes</font>
<br><font size=2 face="sans-serif"> proxy: retry_delay = 5</font>
<br><font size=2 face="sans-serif"> proxy: retry_count = 3</font>
<br><font size=2 face="sans-serif"> proxy: synchronous = no</font>
<br><font size=2 face="sans-serif"> proxy: default_fallback = yes</font>
<br><font size=2 face="sans-serif"> proxy: dead_time = 120</font>
<br><font size=2 face="sans-serif"> proxy: post_proxy_authorize =
no</font>
<br><font size=2 face="sans-serif"> proxy: wake_all_if_all_dead =
no</font>
<br><font size=2 face="sans-serif"> security: max_attributes = 200</font>
<br><font size=2 face="sans-serif"> security: reject_delay = 1</font>
<br><font size=2 face="sans-serif"> security: status_server = no</font>
<br><font size=2 face="sans-serif"> main: debug_level = 0</font>
<br><font size=2 face="sans-serif">read_config_files: reading dictionary</font>
<br><font size=2 face="sans-serif">read_config_files: reading naslist</font>
<br><font size=2 face="sans-serif">read_config_files: reading clients</font>
<br><font size=2 face="sans-serif">Using deprecated clients file. Support
for this will go away soon.</font>
<br><font size=2 face="sans-serif">read_config_files: reading realms</font>
<br><font size=2 face="sans-serif">radiusd: entering modules setup</font>
<br><font size=2 face="sans-serif">Module: Library search path is /usr/lib/freeradius</font>
<br><font size=2 face="sans-serif">Module: Loaded exec</font>
<br><font size=2 face="sans-serif"> exec: wait = yes</font>
<br><font size=2 face="sans-serif"> exec: program = "(null)"</font>
<br><font size=2 face="sans-serif"> exec: input_pairs = "request"</font>
<br><font size=2 face="sans-serif"> exec: output_pairs = "(null)"</font>
<br><font size=2 face="sans-serif"> exec: packet_type = "(null)"</font>
<br><font size=2 face="sans-serif">rlm_exec: Wait=yes but no output defined.
Did you mean output=none?</font>
<br><font size=2 face="sans-serif">Module: Instantiated exec (exec)</font>
<br><font size=2 face="sans-serif">Module: Loaded expr</font>
<br><font size=2 face="sans-serif">Module: Instantiated expr (expr)</font>
<br><font size=2 face="sans-serif">Module: Loaded eap</font>
<br><font size=2 face="sans-serif"> eap: default_eap_type = "tls"</font>
<br><font size=2 face="sans-serif"> eap: timer_expire = 60</font>
<br><font size=2 face="sans-serif"> eap: ignore_unknown_eap_types
= no</font>
<br><font size=2 face="sans-serif"> eap: cisco_accounting_username_bug
= no</font>
<br><font size=2 face="sans-serif">rlm_eap: Loaded and initialized type
md5</font>
<br><font size=2 face="sans-serif">rlm_eap: Loaded and initialized type
leap</font>
<br><font size=2 face="sans-serif"> gtc: challenge = "Password:
"</font>
<br><font size=2 face="sans-serif"> gtc: auth_type = "PAP"</font>
<br><font size=2 face="sans-serif">rlm_eap: Loaded and initialized type
gtc</font>
<br><font size=2 face="sans-serif"> tls: rsa_key_exchange = no</font>
<br><font size=2 face="sans-serif"> tls: dh_key_exchange = yes</font>
<br><font size=2 face="sans-serif"> tls: rsa_key_length = 512</font>
<br><font size=2 face="sans-serif"> tls: dh_key_length = 512</font>
<br><font size=2 face="sans-serif"> tls: verify_depth = 0</font>
<br><font size=2 face="sans-serif"> tls: CA_path = "(null)"</font>
<br><font size=2 face="sans-serif"> tls: pem_file_type = yes</font>
<br><font size=2 face="sans-serif"> tls: private_key_file = "/sslcert/CAkey.pem"</font>
<br><font size=2 face="sans-serif"> tls: certificate_file = "/sslcert/sierrerad10.pem"</font>
<br><font size=2 face="sans-serif"> tls: CA_file = "/sslcert/CAcrt.pem"</font>
<br><font size=2 face="sans-serif"> tls: private_key_password = "novelis"</font>
<br><font size=2 face="sans-serif"> tls: dh_file = "/etc/raddb/certs/dh"</font>
<br><font size=2 face="sans-serif"> tls: random_file = "/etc/raddb/certs/random"</font>
<br><font size=2 face="sans-serif"> tls: fragment_size = 1024</font>
<br><font size=2 face="sans-serif"> tls: include_length = yes</font>
<br><font size=2 face="sans-serif"> tls: check_crl = no</font>
<br><font size=2 face="sans-serif"> tls: check_cert_cn = "(null)"</font>
<br><font size=2 face="sans-serif">rlm_eap_tls: Loading the certificate
file as a chain</font>
<br><font size=2 face="sans-serif">rlm_eap: Loaded and initialized type
tls</font>
<br><font size=2 face="sans-serif"> mschapv2: with_ntdomain_hack =
no</font>
<br><font size=2 face="sans-serif">rlm_eap: Loaded and initialized type
mschapv2</font>
<br><font size=2 face="sans-serif">Module: Instantiated eap (eap)</font>
<br><font size=2 face="sans-serif">Module: Loaded preprocess</font>
<br><font size=2 face="sans-serif"> preprocess: huntgroups = "/etc/raddb/huntgroups"</font>
<br><font size=2 face="sans-serif"> preprocess: hints = "/etc/raddb/hints"</font>
<br><font size=2 face="sans-serif"> preprocess: with_ascend_hack =
no</font>
<br><font size=2 face="sans-serif"> preprocess: ascend_channels_per_line
= 23</font>
<br><font size=2 face="sans-serif"> preprocess: with_ntdomain_hack
= no</font>
<br><font size=2 face="sans-serif"> preprocess: with_specialix_jetstream_hack
= no</font>
<br><font size=2 face="sans-serif"> preprocess: with_cisco_vsa_hack
= no</font>
<br><font size=2 face="sans-serif">Module: Instantiated preprocess (preprocess)</font>
<br><font size=2 face="sans-serif">Module: Loaded files</font>
<br><font size=2 face="sans-serif"> files: usersfile = "/etc/raddb/users"</font>
<br><font size=2 face="sans-serif"> files: acctusersfile = "/etc/raddb/acct_users"</font>
<br><font size=2 face="sans-serif"> files: preproxy_usersfile = "/etc/raddb/preproxy_users"</font>
<br><font size=2 face="sans-serif"> files: compat = "no"</font>
<br><font size=2 face="sans-serif">Module: Instantiated files (files)</font>
<br><font size=2 face="sans-serif">Module: Loaded Acct-Unique-Session-Id</font>
<br><font size=2 face="sans-serif"> acct_unique: key = "User-Name,
Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"</font>
<br><font size=2 face="sans-serif">Module: Instantiated acct_unique (acct_unique)</font>
<br><font size=2 face="sans-serif">Module: Loaded realm</font>
<br><font size=2 face="sans-serif"> realm: format = "suffix"</font>
<br><font size=2 face="sans-serif"> realm: delimiter = "@"</font>
<br><font size=2 face="sans-serif"> realm: ignore_default = no</font>
<br><font size=2 face="sans-serif"> realm: ignore_null = no</font>
<br><font size=2 face="sans-serif">Module: Instantiated realm (suffix)</font>
<br><font size=2 face="sans-serif">Module: Loaded detail</font>
<br><font size=2 face="sans-serif"> detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"</font>
<br><font size=2 face="sans-serif"> detail: detailperm = 384</font>
<br><font size=2 face="sans-serif"> detail: dirperm = 493</font>
<br><font size=2 face="sans-serif"> detail: locking = no</font>
<br><font size=2 face="sans-serif">Module: Instantiated detail (detail)</font>
<br><font size=2 face="sans-serif">Module: Loaded System</font>
<br><font size=2 face="sans-serif"> unix: cache = no</font>
<br><font size=2 face="sans-serif"> unix: passwd = "/etc/passwd"</font>
<br><font size=2 face="sans-serif"> unix: shadow = "(null)"</font>
<br><font size=2 face="sans-serif"> unix: group = "/etc/group"</font>
<br><font size=2 face="sans-serif"> unix: radwtmp = "/var/log/radius/radwtmp"</font>
<br><font size=2 face="sans-serif"> unix: usegroup = no</font>
<br><font size=2 face="sans-serif"> unix: cache_reload = 600</font>
<br><font size=2 face="sans-serif">Module: Instantiated unix (unix)</font>
<br><font size=2 face="sans-serif">Module: Loaded radutmp</font>
<br><font size=2 face="sans-serif"> radutmp: filename = "/var/log/radius/radutmp"</font>
<br><font size=2 face="sans-serif"> radutmp: username = "%{User-Name}"</font>
<br><font size=2 face="sans-serif"> radutmp: case_sensitive = yes</font>
<br><font size=2 face="sans-serif"> radutmp: check_with_nas = yes</font>
<br><font size=2 face="sans-serif"> radutmp: perm = 384</font>
<br><font size=2 face="sans-serif"> radutmp: callerid = yes</font>
<br><font size=2 face="sans-serif">Module: Instantiated radutmp (radutmp)</font>
<br><font size=2 face="sans-serif">Listening on authentication *:1812</font>
<br><font size=2 face="sans-serif">Listening on accounting *:1813</font>
<br><font size=2 face="sans-serif">Ready to process requests.</font>
<br><font size=2 face="sans-serif">rad_recv: Access-Request packet from
host 10.166.42.30:1024, id=1, length=159</font>
<br><font size=2 face="sans-serif"> User-Name
= "sierre08015"</font>
<br><font size=2 face="sans-serif"> NAS-IP-Address
= 10.166.42.30</font>
<br><font size=2 face="sans-serif"> NAS-Port
= 1</font>
<br><font size=2 face="sans-serif"> Called-Station-Id
= "00-14-C2-BB-FF-70:test"</font>
<br><font size=2 face="sans-serif"> Calling-Station-Id
= "00-1F-3C-13-1A-1F"</font>
<br><font size=2 face="sans-serif"> Framed-MTU
= 1400</font>
<br><font size=2 face="sans-serif"> NAS-Port-Type
= Wireless-802.11</font>
<br><font size=2 face="sans-serif"> Connect-Info
= "CONNECT 0Mbps 802.11g"</font>
<br><font size=2 face="sans-serif"> EAP-Message
= 0x02010010017369657272653038303135</font>
<br><font size=2 face="sans-serif"> Message-Authenticator
= 0x4cc4a961e5aae9b990d400eab9ec0a8e</font>
<br><font size=2 face="sans-serif"> Processing the authorize section
of radiusd.conf</font>
<br><font size=2 face="sans-serif">modcall: entering group authorize for
request 0</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module "preprocess"
returns ok for request 0</font>
<br><font size=2 face="sans-serif"> rlm_eap: EAP packet type response
id 1 length 16</font>
<br><font size=2 face="sans-serif"> rlm_eap: No EAP Start, assuming
it's an on-going EAP conversation</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module "eap"
returns updated for request 0</font>
<br><font size=2 face="sans-serif"> users: Matched entry sierre08015
at line 97</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module "files"
returns ok for request 0</font>
<br><font size=2 face="sans-serif">modcall: leaving group authorize (returns
updated) for request 0</font>
<br><font size=2 face="sans-serif"> rad_check_password: Found
Auth-Type Accept</font>
<br><font size=2 face="sans-serif"> rad_check_password: Auth-Type
= Accept, accepting the user</font>
<br><font size=2 face="sans-serif">Sending Access-Accept of id 1 to 10.166.42.30
port 1024</font>
<br><font size=2 face="sans-serif">Finished request 0</font>
<br><font size=2 face="sans-serif">Going to the next request</font>
<br>
<br>
<br><font size=2 face="sans-serif">The eap.conf file :</font>
<br><font size=2 face="sans-serif"># -*- text -*-</font>
<br><font size=2 face="sans-serif">#</font>
<br><font size=2 face="sans-serif"># Whatever you do, do NOT set
'Auth-Type := EAP'. The server</font>
<br><font size=2 face="sans-serif"># is smart enough to figure this
out on its own. The most</font>
<br><font size=2 face="sans-serif"># common side effect of setting
'Auth-Type := EAP' is that the</font>
<br><font size=2 face="sans-serif"># users then cannot use ANY other
authentication method.</font>
<br><font size=2 face="sans-serif">#</font>
<br><font size=2 face="sans-serif"># $Id:
eap.conf,v 1.4.4.1 2006/01/04 14:29:29 nbk Exp $</font>
<br><font size=2 face="sans-serif">#</font>
<br><font size=2 face="sans-serif"> eap
{</font>
<br><font size=2 face="sans-serif">
# Invoke the default supported EAP type
when</font>
<br><font size=2 face="sans-serif">
# EAP-Identity response is received.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# The incoming EAP messages DO NOT specify
which EAP</font>
<br><font size=2 face="sans-serif">
# type they will be using, so it MUST
be set here.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# For now, only one default EAP type
may be used at a time.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# If the EAP-Type attribute is set by
another module,</font>
<br><font size=2 face="sans-serif">
# then that EAP type takes precedence
over the</font>
<br><font size=2 face="sans-serif">
# default type configured here.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif"> #
default_eap_type = md5</font>
<br><font size=2 face="sans-serif">
default_eap_type = tls</font>
<br><font size=2 face="sans-serif">
</font>
<br><font size=2 face="sans-serif">
# A list is maintained to correlate
EAP-Response</font>
<br><font size=2 face="sans-serif">
# packets with EAP-Request packets.
After a</font>
<br><font size=2 face="sans-serif">
# configurable length of time, entries
in the list</font>
<br><font size=2 face="sans-serif">
# expire, and are deleted.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
timer_expire = 60</font>
<br>
<br><font size=2 face="sans-serif">
# There are many EAP types, but the
server has support</font>
<br><font size=2 face="sans-serif">
# for only a limited subset. If
the server receives</font>
<br><font size=2 face="sans-serif">
# a request for an EAP type it does
not support, then</font>
<br><font size=2 face="sans-serif">
# it normally rejects the request. By
setting this</font>
<br><font size=2 face="sans-serif">
# configuration to "yes",
you can tell the server to</font>
<br><font size=2 face="sans-serif">
# instead keep processing the request.
Another module</font>
<br><font size=2 face="sans-serif">
# MUST then be configured to proxy the
request to</font>
<br><font size=2 face="sans-serif">
# another RADIUS server which supports
that EAP type.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# If another module is NOT configured
to handle the</font>
<br><font size=2 face="sans-serif">
# request, then the request will still
end up being</font>
<br><font size=2 face="sans-serif">
# rejected.</font>
<br><font size=2 face="sans-serif">
ignore_unknown_eap_types = no</font>
<br>
<br><font size=2 face="sans-serif">
# Cisco AP1230B firmware 12.2(13)JA1 has a
bug. When given</font>
<br><font size=2 face="sans-serif">
# a User-Name attribute in an Access-Accept,
it copies one</font>
<br><font size=2 face="sans-serif">
# more byte than it should.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# We can work around it by configurably adding
an extra</font>
<br><font size=2 face="sans-serif">
# zero byte.</font>
<br><font size=2 face="sans-serif">
cisco_accounting_username_bug = no</font>
<br>
<br><font size=2 face="sans-serif">
# Supported EAP-types</font>
<br>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# We do NOT recommend using EAP-MD5
authentication</font>
<br><font size=2 face="sans-serif">
# for wireless connections. It
is insecure, and does</font>
<br><font size=2 face="sans-serif">
# not provide for dynamic WEP keys.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
md5 {</font>
<br><font size=2 face="sans-serif">
}</font>
<br>
<br><font size=2 face="sans-serif">
# Cisco LEAP</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# We do not recommend using LEAP in
new deployments. See:</font>
<br><font size=2 face="sans-serif">
# http://www.securiteam.com/tools/5TP012ACKE.html</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# Cisco LEAP uses the MS-CHAP algorithm
(but not</font>
<br><font size=2 face="sans-serif">
# the MS-CHAP attributes) to perform
it's authentication.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# As a result, LEAP *requires* access
to the plain-text</font>
<br><font size=2 face="sans-serif">
# User-Password, or the NT-Password
attributes.</font>
<br><font size=2 face="sans-serif">
# 'System' authentication is impossible
with LEAP.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
leap {</font>
<br><font size=2 face="sans-serif">
}</font>
<br>
<br><font size=2 face="sans-serif">
# Generic Token Card.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# Currently, this is only permitted
inside of EAP-TTLS,</font>
<br><font size=2 face="sans-serif">
# or EAP-PEAP. The module "challenges"
the user with</font>
<br><font size=2 face="sans-serif">
# text, and the response from the user
is taken to be</font>
<br><font size=2 face="sans-serif">
# the User-Password.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# Proxying the tunneled EAP-GTC session
is a bad idea,</font>
<br><font size=2 face="sans-serif">
# the users password will go over the
wire in plain-text,</font>
<br><font size=2 face="sans-serif">
# for anyone to see.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
gtc {</font>
<br><font size=2 face="sans-serif">
# The
default challenge, which many clients</font>
<br><font size=2 face="sans-serif">
# ignore..</font>
<br><font size=2 face="sans-serif">
#challenge
= "Password: "</font>
<br>
<br><font size=2 face="sans-serif">
# The
plain-text response which comes back</font>
<br><font size=2 face="sans-serif">
# is
put into a User-Password attribute,</font>
<br><font size=2 face="sans-serif">
# and
passed to another module for</font>
<br><font size=2 face="sans-serif">
# authentication.
This allows the EAP-GTC</font>
<br><font size=2 face="sans-serif">
# response
to be checked against plain-text,</font>
<br><font size=2 face="sans-serif">
# or
crypt'd passwords.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# If
you say "Local" instead of "PAP", then</font>
<br><font size=2 face="sans-serif">
# the
module will look for a User-Password</font>
<br><font size=2 face="sans-serif">
# configured
for the request, and do the</font>
<br><font size=2 face="sans-serif">
# authentication
itself.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
auth_type
= PAP</font>
<br><font size=2 face="sans-serif">
}</font>
<br>
<br><font size=2 face="sans-serif">
## EAP-TLS</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# To generate ctest certificates, run
the script</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# ../scripts/certs.sh</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# The documents on http://www.freeradius.org/doc</font>
<br><font size=2 face="sans-serif">
# are old, but may be helpful.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# See also:</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# http://www.dslreports.com/forum/remark,9286052~mode=flat</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
tls {</font>
<br><font size=2 face="sans-serif">
private_key_password
= novelis</font>
<br><font size=2 face="sans-serif">
# private_key_file
= ${raddbdir}/certs/cert-srv.pem</font>
<br><font size=2 face="sans-serif">
private_key_file
= /sslcert/CAkey.pem</font>
<br><font size=2 face="sans-serif">
</font>
<br><font size=2 face="sans-serif">
# If
Private key & Certificate are located in</font>
<br><font size=2 face="sans-serif">
# the
same file, then private_key_file &</font>
<br><font size=2 face="sans-serif">
# certificate_file
must contain the same file</font>
<br><font size=2 face="sans-serif">
# name.</font>
<br><font size=2 face="sans-serif">
# certificate_file
= ${raddbdir}/certs/cert-srv.pem</font>
<br><font size=2 face="sans-serif">
certificate_file
= /sslcert/sierrerad10.pem</font>
<br>
<br><font size=2 face="sans-serif">
# Trusted
Root CA list</font>
<br><font size=2 face="sans-serif">
# CA_file
= ${raddbdir}/certs/demoCA/cacert.pem</font>
<br><font size=2 face="sans-serif">
CA_file
= /sslcert/CAcrt.pem</font>
<br><font size=2 face="sans-serif">
# CA_path
= ${raddbdir}/certs/demoCA/cacert.pem</font>
<br>
<br><font size=2 face="sans-serif">
dh_file
= ${raddbdir}/certs/dh</font>
<br><font size=2 face="sans-serif">
random_file
= ${raddbdir}/certs/random</font>
<br>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# This
can never exceed the size of a RADIUS</font>
<br><font size=2 face="sans-serif">
# packet
(4096 bytes), and is preferably half</font>
<br><font size=2 face="sans-serif">
# that,
to accomodate other attributes in</font>
<br><font size=2 face="sans-serif">
# RADIUS
packet. On most APs the MAX packet</font>
<br><font size=2 face="sans-serif">
# length
is configured between 1500 - 1600</font>
<br><font size=2 face="sans-serif">
# In
these cases, fragment size should be</font>
<br><font size=2 face="sans-serif">
# 1024
or less.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
fragment_size
= 1024</font>
<br>
<br><font size=2 face="sans-serif">
# include_length
is a flag which is</font>
<br><font size=2 face="sans-serif">
# by
default set to yes If set to</font>
<br><font size=2 face="sans-serif">
# yes,
Total Length of the message is</font>
<br><font size=2 face="sans-serif">
# included
in EVERY packet we send.</font>
<br><font size=2 face="sans-serif">
# If
set to no, Total Length of the</font>
<br><font size=2 face="sans-serif">
# message
is included ONLY in the</font>
<br><font size=2 face="sans-serif">
# First
packet of a fragment series.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
include_length
= yes</font>
<br>
<br><font size=2 face="sans-serif">
# Check
the Certificate Revocation List</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# 1)
Copy CA certificates and CRLs to same directory.</font>
<br><font size=2 face="sans-serif">
# 2)
Execute 'c_rehash <CA certs&CRLs Directory>'.</font>
<br><font size=2 face="sans-serif">
#
'c_rehash' is OpenSSL's command.</font>
<br><font size=2 face="sans-serif">
# 3)
Add 'CA_path=<CA certs&CRLs directory>'</font>
<br><font size=2 face="sans-serif">
#
to radiusd.conf's tls section.</font>
<br><font size=2 face="sans-serif">
# 4)
uncomment the line below.</font>
<br><font size=2 face="sans-serif">
# 5)
Restart radiusd</font>
<br><font size=2 face="sans-serif">
# check_crl
= yes</font>
<br>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# If check_cert_cn
is set, the value will</font>
<br><font size=2 face="sans-serif">
# be xlat'ed
and checked against the CN</font>
<br><font size=2 face="sans-serif">
# in the
client certificate. If the values</font>
<br><font size=2 face="sans-serif">
# do not
match, the certificate verification</font>
<br><font size=2 face="sans-serif">
# will fail
rejecting the user.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# check_cert_cn
= %{User-Name}</font>
<br><font size=2 face="sans-serif">
}</font>
<br>
<br>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# This takes no configuration.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# Note that it is the EAP MS-CHAPv2
sub-module, not</font>
<br><font size=2 face="sans-serif">
# the main 'mschap' module.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# Note also that in order for this sub-module
to work,</font>
<br><font size=2 face="sans-serif">
# the main 'mschap' module MUST ALSO
be configured.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
# This module is the *Microsoft* implementation
of MS-CHAPv2</font>
<br><font size=2 face="sans-serif">
# in EAP. There is another (incompatible)
implementation</font>
<br><font size=2 face="sans-serif">
# of MS-CHAPv2 in EAP by Cisco, which
FreeRADIUS does not</font>
<br><font size=2 face="sans-serif">
# currently support.</font>
<br><font size=2 face="sans-serif">
#</font>
<br><font size=2 face="sans-serif">
mschapv2 {</font>
<br><font size=2 face="sans-serif">
}</font>
<br><font size=2 face="sans-serif"> }</font>
<br>
<br><font size=2 face="sans-serif"><br>
</font><font size=3><br>
</font>
<p><font size=2 color=#990000 face="Arial"><b>NOVELIS</b></font><font size=3 face="Arial"><br>
</font><font size=1 face="Arial"><br>
Fabien Crettaz<br>
IT System and Infrastructure<br>
Novelis Automotive, Painted & Specialities<br>
<br>
Novelis Switzerland SA<br>
CH - 3960 Sierre, Switzerland<br>
phone: +41 (0)27 457 7164 <br>
fax: +41 (0)27 457 7105 </font><font size=1 color=blue face="Arial"><u><br>
</u></font><a href=mailto:fabien.crettaz@novelis.com><font size=1 color=blue face="Arial"><u>e-mail:
fabien.crettaz@novelis.com</u></font></a><font size=1 color=blue face="Arial"><u><br>
</u></font><a href=http://www.novelis.ch/><font size=1 color=blue face="Arial"><u>http://www.novelis.ch</u></font></a><font size=1 face="Arial"><br>
</font><font size=5 color=#008000 face="Webdings"><b><br>
P</b></font><font size=3 face="Arial"><b> </b></font><font size=1 color=#008000 face="Arial"><b>Please
consider the environment before printing this email.</b></font><font size=3 face="Arial">
</font>