Hello<br><br>I have followed the procedures to create EAP certificates in etc/raddb/certs but when i copy the ca.der and client.P12 my windows XP cannot seem to authenticate to the radisu Server.<br><br>I can se a small baloon appearing on xp stating failed to authenticate on palstaff.<br>
<br><br>My Proxim AP reports Radius Server Error but i have already set the Radius Server IP address in the Proxim AP.<br> <br>I have also updated my make file as below to allow XP clients to authenticate<br><br><br><br>######################################################################<br>
#<br>#  Create a new client certificate, signed by the the above server<br>#  certificate.<br>#<br>######################################################################<br>client.csr client.key: client.cnf<br>        openssl req -new  -out client.csr -keyout client.key -config ./client.cnf<br>
<br>client.crt: client.csr ca.pem ca.key index.txt serial<br>        openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf<br>
<br>client.p12: client.crt<br>        openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)<br><br>client.pem: client.p12<br>        openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)<br>
        cp client.pem $(USER_NAME).pem<br><br>.PHONY: server.vrfy<br>client.vrfy: ca.pem client.pem<br>        c_rehash .<br>        openssl verify -CApath . client.pem<br><br><br><br>$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*<br>
<br>and redo the certificates.<br><br><br>Please need help on this<br><br><br><br>Regards<br><br>Devinder<br><br><br><div class="gmail_quote">2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com">devinbhullar@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">After i had restarted my XP<br><br>i get to see Windows was unable to log you on to palstaff.<br>
<br><br>palstaff is my sssid<br><br><br>Devinder<div><div></div><div class="h5"><br><br><div class="gmail_quote">2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com" target="_blank">devinbhullar@gmail.com</a>></span><br>

<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">When i click on my SSID i get authentication failed. The Proxim AP reports Radius not connected and i dont get to see any reply on Radius Server<div>

<div></div><div><br><br><br><div class="gmail_quote">2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com" target="_blank">devinbhullar@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">######################################################################<br>#<br>#  Create a new client certificate, signed by the the above server<br>


#  certificate.<br>#<br>######################################################################<br>
client.csr client.key: client.cnf<br>        openssl req -new  -out client.csr -keyout client.key -config ./client.cnf<br><br>client.crt: client.csr ca.pem ca.key index.txt serial<br>        openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf<br>



<br>client.p12: client.crt<br>        openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)<br><br>client.pem: client.p12<br>        openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)<br>



        cp client.pem $(USER_NAME).pem<br><br>.PHONY: server.vrfy<br>client.vrfy: ca.pem client.pem<br>        c_rehash .<br>        openssl verify -CApath . client.pem<div><div></div><div><br><br><br><div class="gmail_quote">


2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com" target="_blank">devinbhullar@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Ivan,<br><br>I cant seem to authenticate my Windows XP client using EAP authentication. I have folllowed the steps in /etc/raddb/certs <br>



<br>This is my radius start up<br>Module: Instantiating eap-tls                                                            <br>
   tls {                                                                                  <br>        rsa_key_exchange = no                                                             <br>        dh_key_exchange = yes                                                             <br>




        rsa_key_length = 512                                                              <br>        dh_key_length = 512                                                               <br>        verify_depth = 0                                                                  <br>




        pem_file_type = yes                                                               <br>        private_key_file = "/etc/raddb/certs/server.pem"                                  <br>        certificate_file = "/etc/raddb/certs/server.pem"                                  <br>




        CA_file = "/etc/raddb/certs/ca.pem"                                               <br>        private_key_password = "myettelap"                                                <br>        dh_file = "/etc/raddb/certs/dh"                                                   <br>




        random_file = "/etc/raddb/certs/random"                                           <br>        fragment_size = 1024                                                              <br>        include_length = yes                                                              <br>




        check_crl = no                                                                    <br>        cipher_list = "DEFAULT"                                                           <br>        make_cert_command = "/etc/raddb/certs/bootstrap"                                  <br>




    cache {                                                                               <br>        enable = no                                                                       <br>        lifetime = 24                                                                     <br>




        max_entries = 255                                                                 <br>    }                                                                                     <br>   }                                                                                      <br>




 Module: Linked to sub-module rlm_eap_ttls                                                <br> Module: Instantiating eap-ttls                                                           <br>   ttls {                                                                                 <br>




        default_eap_type = "md5"                                                          <br>        copy_request_to_tunnel = no                                                       <br>        use_tunneled_reply = no                                                           <br>




        virtual_server = "inner-tunnel"                                                   <br>   }                                                                                      <br> Module: Linked to sub-module rlm_eap_peap                                                <br>




 Module: Instantiating eap-peap                                                           <br>   peap {                                                                                 <br>        default_eap_type = "mschapv2"                                                     <br>




        copy_request_to_tunnel = no                                                       <br>        use_tunneled_reply = no                                                           <br>        proxy_tunneled_request_as_eap = yes                                               <br>




        virtual_server = "inner-tunnel"                                                   <br>   }                                                                                      <br> Module: Linked to sub-module rlm_eap_mschapv2                                            <br>




 Module: Instantiating eap-mschapv2                                                       <br>   mschapv2 {                                                                             <br>        with_ntdomain_hack = no                                                           <br>




   }                                                                                      <br> Module: Checking authorize {...} for more modules to load                                <br> Module: Linked to module rlm_realm                                                       <br>




 Module: Instantiating suffix                                                             <br>  realm suffix {                                                                          <br>        format = "suffix"                                                                 <br>




        delimiter = "@"                                                                   <br>        ignore_default = no                                                               <br>        ignore_null = no                                                                  <br>




  }                                                                                       <br> Module: Linked to module rlm_files                                                       <br> Module: Instantiating files                                                              <br>




  files {                                                                                 <br>        usersfile = "/etc/raddb/users"                                                    <br>        acctusersfile = "/etc/raddb/acct_users"                                           <br>




        preproxy_usersfile = "/etc/raddb/preproxy_users"                                  <br>        compat = "no"                                                                     <br>  }                                                                                       <br>




 Module: Checking session {...} for more modules to load                                  <br> Module: Linked to module rlm_radutmp                                                     <br> Module: Instantiating radutmp                                                            <br>




  radutmp {                                                                               <br>        filename = "/var/log/radius/radutmp"                                              <br>        username = "%{User-Name}"                                                         <br>




        case_sensitive = yes                                                              <br>        check_with_nas = yes                                                              <br>        perm = 384                                                                        <br>




        callerid = yes                                                                    <br>  }                                                                                       <br> Module: Checking post-proxy {...} for more modules to load                               <br>




 Module: Checking post-auth {...} for more modules to load                                <br> Module: Linked to module rlm_attr_filter                                                 <br> Module: Instantiating attr_filter.access_reject                                          <br>




  attr_filter attr_filter.access_reject {                                                 <br>        attrsfile = "/etc/raddb/attrs.access_reject"                                      <br>        key = "%{User-Name}"                                                              <br>




  }                                                                                       <br> }                                                                                        <br>}                                                                                         <br>




 modules {                                                                                <br> Module: Checking authenticate {...} for more modules to load                             <br> Module: Checking authorize {...} for more modules to load                                <br>




 Module: Linked to module rlm_preprocess                                                  <br> Module: Instantiating preprocess                                                         <br>  preprocess {                                                                            <br>




        huntgroups = "/etc/raddb/huntgroups"                                              <br>        hints = "/etc/raddb/hints"                                                        <br>        with_ascend_hack = no                                                             <br>




        ascend_channels_per_line = 23                                                     <br>        with_ntdomain_hack = no                                                           <br>        with_specialix_jetstream_hack = no                                                <br>




        with_cisco_vsa_hack = no                                                          <br>        with_alvarion_vsa_hack = no                                                       <br>  }                                                                                       <br>




 Module: Checking preacct {...} for more modules to load                                  <br> Module: Linked to module rlm_acct_unique                                                 <br> Module: Instantiating acct_unique<br>




  acct_unique {<br>        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>  }<br> Module: Checking accounting {...} for more modules to load<br> Module: Linked to module rlm_detail<br>




 Module: Instantiating detail<br>  detail {<br>        detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>        header = "%t"<br>        detailperm = 384<br>        dirperm = 493<br>




        locking = no<br>        log_packet_header = no<br>  }<br> Module: Instantiating attr_filter.accounting_response<br>  attr_filter attr_filter.accounting_response {<br>        attrsfile = "/etc/raddb/attrs.accounting_response"<br>




        key = "%{User-Name}"<br>  }<br> Module: Checking session {...} for more modules to load<br> Module: Checking post-proxy {...} for more modules to load<br> Module: Checking post-auth {...} for more modules to load<br>




 }<br>radiusd: #### Opening IP addresses and Ports ####<br>listen {<br>        type = "auth"<br>        ipaddr = *<br>        port = 0<br>}<br>listen {<br>        type = "acct"<br>        ipaddr = *<br>




        port = 0<br>}<br>Listening on authentication address * port 1812<br>Listening on accounting address * port 1813<br>Listening on proxy address * port 1814<br>Ready to process requests.<br>^[[6~^[[6~<br><br><br><div class="gmail_quote">




2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com" target="_blank">devinbhullar@gmail.com</a>></span><div><div></div><div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">




<div>Hi Ivan,</div>
<div> </div>
<div>I created the certificates basd on the README file in etc/raddb and copied ca.der and client.p12 to Windows XP</div>
<div> </div>
<div>I also also made changed to the Makefile which runs on XP but when i connect to the SSID i get authentication failde and the radius does not seem to get any response from the Proxim AP.</div>
<div> </div>
<div><br clear="all"><br>-- <br>Devinder<br></div>
</blockquote></div></div></div><br><br clear="all"><br>-- <br><font color="#888888">Devinder<br>
</font></blockquote></div><br><br clear="all"><br></div></div>-- <br><font color="#888888">Devinder<br>
</font></blockquote></div><br><br clear="all"><br></div></div>-- <br><font color="#888888">Devinder<br>
</font></blockquote></div><br><br clear="all"><br></div></div>-- <br><font color="#888888">Devinder<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Devinder<br>