ok I changed it to default<br>proxy_requests = yes<br>$INCLUDE proxy.conf <br><br>/etc/freeradius/certs/Makefile<br>was<br>#client.crt: client.csr server.crt server.key index.txt serial<br>#
openssl ca -batch -keyfile server.key -cert server.crt -in client.csr
-key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext
-extfile xpextensions -config ./client.cnf<br>
<br>is now:<br>client.crt: client.csr ca.pem ca.key index.txt serial<br> openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf<br>
<br><br>changes in client.cnf<br>was:<br>certificate = $dir/server.pem<br>serial = $dir/serial<br>private_key = $dir/server.key<br>commonName = <a href="mailto:user@example.com" target="_blank">user@example.com</a><br>
<br>is now:<br>certificate = $dir/ca.pem<br>serial = $dir/serial<br>private_key = $dir/ca.key<br>commonName = user_certificate<br>
<br><br>now after instalation ca.der and client.p12 in windows everything in certificate stores seams to be ok.<br>there is no exclamation mark on user_certificate, and certification path is ok<br><br>back to the server:<br>
<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=240, length=147<br> NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br> NAS-Port-Type = Ethernet<br>
User-Name = "user_certificate"<br> Called-Station-Id = "00-0C-30-81-9B-EE"<br> Calling-Station-Id = "00-0A-E4-13-1A-02"<br> Service-Type = Framed-User<br> Framed-MTU = 1500<br>
EAP-Message = 0x0200001501757365725f6365727469666963617465<br> Message-Authenticator = 0x0d65a52fd78035c3c828c30d2a2442d9<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>
++[mschap] returns noop<br>[suffix] No '@' in User-Name = "user_certificate", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 0 length 21<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type md5<br>rlm_eap_md5: Issuing Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 240 to 192.168.5.206 port 1812<br>
EAP-Message = 0x0101001604100c91af03e9cd5c25126407d36f22684a<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xb5a5cfd0b5a4cb20491e5ee122e4a622<br>Finished request 0.<br>Going to the next request<br>
<br><br><div class="gmail_quote"><br><br>On Wed, May 20, 2009 at 2:39 PM, Ivan Kalik <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">>>> The steps you took show that you are NOT following the guide.<br>
>>> Good luck. You clearly are *not* interested in solving the problem.<br>
><br>
> the guide in radiusd.conf says:<br>
> #The server has proxying turned on by default. If your system is NOT<br>
> # set up to proxy requests to another server, then you can turn proxying<br>
> # off here. This will save a small amount of resources on the server.<br>
> I tried to read carefully with undrestanding, I dont use proxy, my system<br>
> not sending request to another server, so I turned it off.<br>
<br>
</div>You might not want to, but you *are* proxying your requests. You have<br>
created client certificate with predefined data in client.cnf - which is<br>
part of the proxy demonstration setup. So, leave proxy settings alone and<br>
concentrate on doing what you have been advised - changing data in<br>
client.cnf so created client certificate won't have @<a href="http://example.com" target="_blank">example.com</a> as part<br>
of the username.<br>
<div class="im"><br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
-<br>
</div><div><div></div><div class="h5">List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>