Hello<br><br>I have followed the procedures to create EAP certificates in etc/raddb/certs but when i copy the ca.der and client.P12 my windows XP cannot seem to authenticate to the radisu Server.<br><br>I can se a small baloon appearing on xp stating failed to authenticate on palstaff.<br>
<br><br>My Proxim AP reports Radius Server Error but i have already set the Radius Server IP address in the Proxim AP.<br> <br>I have also updated my make file as below to allow XP clients to authenticate<br><br><br><br>######################################################################<br>
#<br># Create a new client certificate, signed by the the above server<br># certificate.<br>#<br>######################################################################<br>client.csr client.key: client.cnf<br> openssl req -new -out client.csr -keyout client.key -config ./client.cnf<br>
<br>client.crt: client.csr ca.pem ca.key index.txt serial<br> openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf<br>
<br>client.p12: client.crt<br> openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)<br><br>client.pem: client.p12<br> openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)<br>
cp client.pem $(USER_NAME).pem<br><br>.PHONY: server.vrfy<br>client.vrfy: ca.pem client.pem<br> c_rehash .<br> openssl verify -CApath . client.pem<br><br><br><br>$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*<br>
<br>and redo the certificates.<br><br><br>Please need help on this<br><br><br><br>Regards<br><br>Devinder<br><br><br><div class="gmail_quote">2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com">devinbhullar@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">After i had restarted my XP<br><br>i get to see Windows was unable to log you on to palstaff.<br>
<br><br>palstaff is my sssid<br><br><br>Devinder<div><div></div><div class="h5"><br><br><div class="gmail_quote">2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com" target="_blank">devinbhullar@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">When i click on my SSID i get authentication failed. The Proxim AP reports Radius not connected and i dont get to see any reply on Radius Server<div>
<div></div><div><br><br><br><div class="gmail_quote">2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com" target="_blank">devinbhullar@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">######################################################################<br>#<br># Create a new client certificate, signed by the the above server<br>
# certificate.<br>#<br>######################################################################<br>
client.csr client.key: client.cnf<br> openssl req -new -out client.csr -keyout client.key -config ./client.cnf<br><br>client.crt: client.csr ca.pem ca.key index.txt serial<br> openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf<br>
<br>client.p12: client.crt<br> openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)<br><br>client.pem: client.p12<br> openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)<br>
cp client.pem $(USER_NAME).pem<br><br>.PHONY: server.vrfy<br>client.vrfy: ca.pem client.pem<br> c_rehash .<br> openssl verify -CApath . client.pem<div><div></div><div><br><br><br><div class="gmail_quote">
2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com" target="_blank">devinbhullar@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Ivan,<br><br>I cant seem to authenticate my Windows XP client using EAP authentication. I have folllowed the steps in /etc/raddb/certs <br>
<br>This is my radius start up<br>Module: Instantiating eap-tls <br>
tls { <br> rsa_key_exchange = no <br> dh_key_exchange = yes <br>
rsa_key_length = 512 <br> dh_key_length = 512 <br> verify_depth = 0 <br>
pem_file_type = yes <br> private_key_file = "/etc/raddb/certs/server.pem" <br> certificate_file = "/etc/raddb/certs/server.pem" <br>
CA_file = "/etc/raddb/certs/ca.pem" <br> private_key_password = "myettelap" <br> dh_file = "/etc/raddb/certs/dh" <br>
random_file = "/etc/raddb/certs/random" <br> fragment_size = 1024 <br> include_length = yes <br>
check_crl = no <br> cipher_list = "DEFAULT" <br> make_cert_command = "/etc/raddb/certs/bootstrap" <br>
cache { <br> enable = no <br> lifetime = 24 <br>
max_entries = 255 <br> } <br> } <br>
Module: Linked to sub-module rlm_eap_ttls <br> Module: Instantiating eap-ttls <br> ttls { <br>
default_eap_type = "md5" <br> copy_request_to_tunnel = no <br> use_tunneled_reply = no <br>
virtual_server = "inner-tunnel" <br> } <br> Module: Linked to sub-module rlm_eap_peap <br>
Module: Instantiating eap-peap <br> peap { <br> default_eap_type = "mschapv2" <br>
copy_request_to_tunnel = no <br> use_tunneled_reply = no <br> proxy_tunneled_request_as_eap = yes <br>
virtual_server = "inner-tunnel" <br> } <br> Module: Linked to sub-module rlm_eap_mschapv2 <br>
Module: Instantiating eap-mschapv2 <br> mschapv2 { <br> with_ntdomain_hack = no <br>
} <br> Module: Checking authorize {...} for more modules to load <br> Module: Linked to module rlm_realm <br>
Module: Instantiating suffix <br> realm suffix { <br> format = "suffix" <br>
delimiter = "@" <br> ignore_default = no <br> ignore_null = no <br>
} <br> Module: Linked to module rlm_files <br> Module: Instantiating files <br>
files { <br> usersfile = "/etc/raddb/users" <br> acctusersfile = "/etc/raddb/acct_users" <br>
preproxy_usersfile = "/etc/raddb/preproxy_users" <br> compat = "no" <br> } <br>
Module: Checking session {...} for more modules to load <br> Module: Linked to module rlm_radutmp <br> Module: Instantiating radutmp <br>
radutmp { <br> filename = "/var/log/radius/radutmp" <br> username = "%{User-Name}" <br>
case_sensitive = yes <br> check_with_nas = yes <br> perm = 384 <br>
callerid = yes <br> } <br> Module: Checking post-proxy {...} for more modules to load <br>
Module: Checking post-auth {...} for more modules to load <br> Module: Linked to module rlm_attr_filter <br> Module: Instantiating attr_filter.access_reject <br>
attr_filter attr_filter.access_reject { <br> attrsfile = "/etc/raddb/attrs.access_reject" <br> key = "%{User-Name}" <br>
} <br> } <br>} <br>
modules { <br> Module: Checking authenticate {...} for more modules to load <br> Module: Checking authorize {...} for more modules to load <br>
Module: Linked to module rlm_preprocess <br> Module: Instantiating preprocess <br> preprocess { <br>
huntgroups = "/etc/raddb/huntgroups" <br> hints = "/etc/raddb/hints" <br> with_ascend_hack = no <br>
ascend_channels_per_line = 23 <br> with_ntdomain_hack = no <br> with_specialix_jetstream_hack = no <br>
with_cisco_vsa_hack = no <br> with_alvarion_vsa_hack = no <br> } <br>
Module: Checking preacct {...} for more modules to load <br> Module: Linked to module rlm_acct_unique <br> Module: Instantiating acct_unique<br>
acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br> }<br> Module: Checking accounting {...} for more modules to load<br> Module: Linked to module rlm_detail<br>
Module: Instantiating detail<br> detail {<br> detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br> header = "%t"<br> detailperm = 384<br> dirperm = 493<br>
locking = no<br> log_packet_header = no<br> }<br> Module: Instantiating attr_filter.accounting_response<br> attr_filter attr_filter.accounting_response {<br> attrsfile = "/etc/raddb/attrs.accounting_response"<br>
key = "%{User-Name}"<br> }<br> Module: Checking session {...} for more modules to load<br> Module: Checking post-proxy {...} for more modules to load<br> Module: Checking post-auth {...} for more modules to load<br>
}<br>radiusd: #### Opening IP addresses and Ports ####<br>listen {<br> type = "auth"<br> ipaddr = *<br> port = 0<br>}<br>listen {<br> type = "acct"<br> ipaddr = *<br>
port = 0<br>}<br>Listening on authentication address * port 1812<br>Listening on accounting address * port 1813<br>Listening on proxy address * port 1814<br>Ready to process requests.<br>^[[6~^[[6~<br><br><br><div class="gmail_quote">
2010/1/20 Devinder Singh <span dir="ltr"><<a href="mailto:devinbhullar@gmail.com" target="_blank">devinbhullar@gmail.com</a>></span><div><div></div><div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Hi Ivan,</div>
<div> </div>
<div>I created the certificates basd on the README file in etc/raddb and copied ca.der and client.p12 to Windows XP</div>
<div> </div>
<div>I also also made changed to the Makefile which runs on XP but when i connect to the SSID i get authentication failde and the radius does not seem to get any response from the Proxim AP.</div>
<div> </div>
<div><br clear="all"><br>-- <br>Devinder<br></div>
</blockquote></div></div></div><br><br clear="all"><br>-- <br><font color="#888888">Devinder<br>
</font></blockquote></div><br><br clear="all"><br></div></div>-- <br><font color="#888888">Devinder<br>
</font></blockquote></div><br><br clear="all"><br></div></div>-- <br><font color="#888888">Devinder<br>
</font></blockquote></div><br><br clear="all"><br></div></div>-- <br><font color="#888888">Devinder<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Devinder<br>