back to the begining <br>and using the most simple conf.<br><br>to be sure that I have clear configuration<br>#apt-get remove freeradius<br>#dpkg -P freeradius<br>#dpkg -i freeradius_2.1.6-0_i386.deb<br>server is Debian etchnhalf, it is virtual server on VMware ESX Server 3i, 3.5.0<br>
<br>now I have clear configuration and make simply changes<br><br>changes:<br>radiusd.conf<br>proxy_requests = no #was yes, set to no cause I dont need it<br>#$INCLUDE proxy.conf #was uncommented, see above<br><br>eap.conf<br>
no changes at all<br><br>clients.conf <br>add a client - <a href="http://192.168.5.0/24..">192.168.5.0/24..</a>.. (client Cisco 2950)<br><br>next I made client certificate (using standard scripts)<br>#cd /etc/freeradius/certs<br>
#make client<br>and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer Travel Mate 380 <br>certificates installed in Trusted Root CA and Personal storages (I deleted all previous certs on that system)<br>
<br>I still have a problem - described in prvious post<br>>exclamation mark on client certificate: <br>>"windows does not have enough information to verify this certificate"<br>>"you have private key that corresponds to this certificate"<br>
><a href="http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu">http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu</a><br>but I am frightened to make any changes without your permision in /etc/freeradius/certs/Makefile, and evethough I have your permission I still dont know what to change<br>
I get familiar with <a href="http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ">http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ</a> but I did not find what to change in this file<br><br>Ivan write:<br>>Use your own domain. For EAP-TLS - no modification needed. I have seen you<br>
>going on about PEAP as well. If those users are also using format<br>
>user@your_domain, then create local realm your_domain - it won't interfere<br>
>with EAP-TLS and will create Stripped-User-Name that can be used for<br>
>authentication.<br>I dont want to have a domain yet, all I want to have at the beggining:<br>server radius + server certificate (common name: server_cert - signed by my_radius_CA)<br>clients radius (cisco 2950) <br>user radius (winxp) + client certificate (common name: client_cert - signed by my_radius_CA)<br>
no usernames, no password for usernames, no proxies, no domains at all<br><br>I used files - ca, server, client, da, random created by /etc/freeradius/certs/bootstrap script<br><br>I know that I am at the start of the topic, I am listening, really.<br>
Bartosz.<br><br>freeradius -X<br><br>rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=226, length=147<br> NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br> NAS-Port-Type = Ethernet<br>
User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br> Called-Station-Id = "00-0C-30-81-9B-EE"<br> Calling-Station-Id = "00-0A-E4-13-1A-02"<br> Service-Type = Framed-User<br>
Framed-MTU = 1500<br> EAP-Message = 0x020000150175736572406578616d706c652e636f6d<br> Message-Authenticator = 0x9bcadf204cf30292cfb7f1abed75501b<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] Looking up realm "<a href="http://example.com">example.com</a>" for User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br>
[suffix] No such realm "<a href="http://example.com">example.com</a>"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 0 length 21<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type md5<br>rlm_eap_md5: Issuing Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 226 to 192.168.5.206 port 1812<br>
EAP-Message = 0x0101001604108a193ba39f65974f35dc5b3140db877f<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x495360bd49526405f11f72d516a953d3<br>Finished request 0.<br>Going to the next request<br>
<br><br><br><br><div class="gmail_quote">On Wed, May 20, 2009 at 11:38 AM, Ivan Kalik <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">> could you give me good freeradius guide for dummies - I think I need it :)<br>
><br>
<br>
</div>Guide: don't make any changes to the default configuration unless you know<br>
what you are doing. That's it.<br>
<br>
Server is configured by default to handle EAP-TLS. There is nothing that<br>
you need to do to make it happen.<br>
<br>
Now, about your problem: freeradius uses fake realm <a href="http://example.com" target="_blank">example.com</a> - for<br>
examples. Of proxying, fail-over home servers, use of vitual servers etc.<br>
Why are *you* using it as well? These examples are not what you want to<br>
do.<br>
<br>
Use your own domain. For EAP-TLS - no modification needed. I have seen you<br>
going on about PEAP as well. If those users are also using format<br>
user@your_domain, then create local realm your_domain - it won't interfere<br>
with EAP-TLS and will create Stripped-User-Name that can be used for<br>
authentication.<br>
<div class="im"><br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
-<br>
</div><div><div></div><div class="h5">List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>