<HTML><HEAD>
<META content="text/html; charset=iso-8859-15" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16671"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI">
<DIV>Hi Jake,</DIV>
<DIV> </DIV>
<DIV> Have you tried enabling Tunnelled reply's on the freeradius server, believe it is in the eap.conf file? Not exactly sure of your config or what you are doing but some of the data in the debug looks like ciphertext, which indicates to me that something is not decrypting the packets or does not know that the information it is getting is encrypted.</DIV>
<DIV> </DIV>
<DIV> I was seeing similar stuff on a debug on a Cisco switch I was configuring for dynamic vlan switching with Radius, turned out I had to enable tunneled replies for PEAP, eap worked just fine.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><STRONG><FONT size=4 face="Times New Roman TUR">
<DIV><FONT size=4 face="Times New Roman TUR"><STRONG>Brett Littrell<BR>Network Manager<BR>Milpitas Unified School District<BR>blittrell@musd.org<BR>Ph# (408)635-2600 X6086<BR>Fax# (408)635-2632</STRONG></FONT></DIV>
<DIV> </DIV></FONT></STRONG><BR><BR>>>> On Friday, January 21, 2011 at 6:10 AM, in message <3A9815D880FBAF41A523B3A35AF3C3DF06B0D246@AVATAR.umhb.edu>, "Sallee, Stephen (Jake)" <Jake.Sallee@umhb.edu> wrote:<BR></DIV>
<TABLE style="MARGIN: 0px 0px 0px 15px; FONT-SIZE: 1em" border=0 bgColor=#f3f3f3>
<TBODY>
<TR>
<TD>
<DIV style="BORDER-LEFT: #050505 1px solid; PADDING-LEFT: 7px">Has anyone gotten windows clients to work WITHOUT having to do any manual config on the clients?<BR><BR>Is it even possible?<BR><BR>Also, I have my shiny new publicly signed cert from comodo but my clients are still rejecting the connection ... i think the error is here:<BR><BR>[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied<BR>TLS Alert read:fatal:access denied<BR>[peap] WARNING: No data inside of the tunnel.<BR><BR>But I don't know why i would be getting a read error, the certs that i installed have the same permissions as the test certs...<BR><BR>here is the full debug, any help is appreciated:<BR><BR>FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Sep 28 2010 at 09:20:29<BR>Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.<BR>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A<BR>PARTICULAR PURPOSE.<BR>You may redistribute copies of FreeRADIUS under the terms of the<BR>GNU General Public License v2.<BR>Starting - reading configuration files ...<BR>including configuration file /usr/local/etc/raddb/radiusd.conf<BR>including configuration file /usr/local/etc/raddb/proxy.conf<BR>including configuration file /usr/local/etc/raddb/clients.conf<BR>including files in directory /usr/local/etc/raddb/modules/<BR>including configuration file /usr/local/etc/raddb/modules/realm<BR>including configuration file /usr/local/etc/raddb/modules/linelog<BR>including configuration file /usr/local/etc/raddb/modules/etc_group<BR>including configuration file /usr/local/etc/raddb/modules/pap<BR>including configuration file /usr/local/etc/raddb/modules/detail<BR>including configuration file /usr/local/etc/raddb/modules/pam<BR>including configuration file /usr/local/etc/raddb/modules/detail.log<BR>including configuration file /usr/local/etc/raddb/modules/ntlm_auth<BR>including configuration file /usr/local/etc/raddb/modules/mac2vlan<BR>including configuration file /usr/local/etc/raddb/modules/radutmp<BR>including configuration file /usr/local/etc/raddb/modules/opendirectory<BR>including configuration file /usr/local/etc/raddb/modules/smbpasswd<BR>including configuration file /usr/local/etc/raddb/modules/digest<BR>including configuration file /usr/local/etc/raddb/modules/checkval<BR>including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login<BR>including configuration file /usr/local/etc/raddb/modules/exec<BR>including configuration file /usr/local/etc/raddb/modules/counter<BR>including configuration file /usr/local/etc/raddb/modules/logintime<BR>including configuration file /usr/local/etc/raddb/modules/cui<BR>including configuration file /usr/local/etc/raddb/modules/mschap<BR>including configuration file /usr/local/etc/raddb/modules/files<BR>including configuration file /usr/local/etc/raddb/modules/detail.example.com<BR>including configuration file /usr/local/etc/raddb/modules/dynamic_clients<BR>including configuration file /usr/local/etc/raddb/modules/perl<BR>including configuration file /usr/local/etc/raddb/modules/expiration<BR>including configuration file /usr/local/etc/raddb/modules/inner-eap<BR>including configuration file /usr/local/etc/raddb/modules/ippool<BR>including configuration file /usr/local/etc/raddb/modules/otp<BR>including configuration file /usr/local/etc/raddb/modules/sradutmp<BR>including configuration file /usr/local/etc/raddb/modules/unix<BR>including configuration file /usr/local/etc/raddb/modules/chap<BR>including configuration file /usr/local/etc/raddb/modules/attr_filter<BR>including configuration file /usr/local/etc/raddb/modules/preprocess<BR>including configuration file /usr/local/etc/raddb/modules/passwd<BR>including configuration file /usr/local/etc/raddb/modules/krb5<BR>including configuration file /usr/local/etc/raddb/modules/acct_unique<BR>including configuration file /usr/local/etc/raddb/modules/policy<BR>including configuration file /usr/local/etc/raddb/modules/smsotp<BR>including configuration file /usr/local/etc/raddb/modules/expr<BR>including configuration file /usr/local/etc/raddb/modules/wimax<BR>including configuration file /usr/local/etc/raddb/modules/mac2ip<BR>including configuration file /usr/local/etc/raddb/modules/attr_rewrite<BR>including configuration file /usr/local/etc/raddb/modules/ldap<BR>including configuration file /usr/local/etc/raddb/modules/echo<BR>including configuration file /usr/local/etc/raddb/modules/always<BR>including configuration file /usr/local/etc/raddb/modules/sql_log<BR>including configuration file /usr/local/etc/raddb/eap.conf<BR>including configuration file /usr/local/etc/raddb/policy.conf<BR>including files in directory /usr/local/etc/raddb/sites-enabled/<BR>including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel<BR>including configuration file /usr/local/etc/raddb/sites-enabled/UMHB<BR>including configuration file /usr/local/etc/raddb/sites-available/default<BR>including configuration file /usr/local/etc/raddb/sites-enabled/control-socket<BR>including configuration file /usr/local/etc/raddb/sites-enabled/Cru<BR>including configuration file /usr/local/etc/raddb/sites-available/default<BR>including configuration file /usr/local/etc/raddb/sites-enabled/default<BR>main {<BR> allow_core_dumps = no<BR>}<BR>including dictionary file /usr/local/etc/raddb/dictionary<BR>main {<BR> prefix = "/usr/local"<BR> localstatedir = "/usr/local/var"<BR> logdir = "/usr/local/var/log/radius"<BR> libdir = "/usr/local/lib"<BR> radacctdir = "/usr/local/var/log/radius/radacct"<BR> hostname_lookups = no<BR> max_request_time = 30<BR> cleanup_delay = 5<BR> max_requests = 25600<BR> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"<BR> checkrad = "/usr/local/sbin/checkrad"<BR> debug_level = 0<BR> proxy_requests = yes<BR>log {<BR> stripped_names = no<BR> auth = no<BR> auth_badpass = no<BR> auth_goodpass = no<BR>}<BR>security {<BR> max_attributes = 200<BR> reject_delay = 1<BR> status_server = yes<BR>}<BR>}<BR>radiusd: #### Loading Realms and Home Servers ####<BR>proxy server {<BR> retry_delay = 5<BR> retry_count = 3<BR> default_fallback = no<BR> dead_time = 120<BR> wake_all_if_all_dead = no<BR>}<BR>home_server localhost {<BR> ipaddr = 127.0.0.1<BR> port = 1812<BR> type = "auth"<BR> secret = "testing123"<BR> response_window = 20<BR> max_outstanding = 65536<BR> require_message_authenticator = no<BR> zombie_period = 40<BR> status_check = "status-server"<BR> ping_interval = 30<BR> check_interval = 30<BR> num_answers_to_alive = 3<BR> num_pings_to_alive = 3<BR> revive_interval = 120<BR> status_check_timeout = 4<BR> irt = 2<BR> mrt = 16<BR> mrc = 5<BR> mrd = 30<BR>}<BR>home_server_pool my_auth_failover {<BR> type = fail-over<BR> home_server = localhost<BR>}<BR>realm example.com {<BR> auth_pool = my_auth_failover<BR> nostrip<BR>}<BR>realm LOCAL {<BR>}<BR>realm Cru {<BR>}<BR>realm Cru.umhb.edu {<BR>}<BR>realm umhb {<BR>}<BR>realm umhb.edu {<BR>}<BR>radiusd: #### Loading Clients ####<BR>client localhost {<BR> ipaddr = 127.0.0.1<BR> require_message_authenticator = no<BR> secret = "testing123"<BR> nastype = "other"<BR>}<BR>client 10.2.1.75/32 {<BR> require_message_authenticator = no<BR> secret = "Burg3rk1ng!"<BR> shortname = "PacketFence"<BR>}<BR>client 10.11.30.0/24 {<BR> require_message_authenticator = no<BR> secret = "Burg3rk1ng!"<BR> shortname = "Sanderford"<BR>}<BR>client 10.11.60.0/24 {<BR> require_message_authenticator = no<BR> secret = "Burg3rk1ng!"<BR> shortname = "Sanderford"<BR>}<BR>radiusd: #### Instantiating modules ####<BR>instantiate {<BR>Module: Linked to module rlm_exec<BR>Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec<BR> exec {<BR> wait = no<BR> input_pairs = "request"<BR> shell_escape = yes<BR> }<BR>Module: Linked to module rlm_expr<BR>Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr<BR>Module: Linked to module rlm_expiration<BR>Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration<BR> expiration {<BR> reply-message = "Password Has Expired "<BR> }<BR>Module: Linked to module rlm_logintime<BR>Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime<BR> logintime {<BR> reply-message = "You are calling outside your allowed timespan "<BR> minimum-timeout = 60<BR> }<BR>}<BR>radiusd: #### Loading Virtual Servers ####<BR>server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel<BR>modules {<BR>Module: Checking authenticate {...} for more modules to load<BR>Module: Linked to module rlm_pap<BR>Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap<BR> pap {<BR> encryption_scheme = "auto"<BR> auto_header = no<BR> }<BR>Module: Linked to module rlm_chap<BR>Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap<BR>Module: Linked to module rlm_mschap<BR>Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap<BR> mschap {<BR> use_mppe = yes<BR> require_encryption = no<BR> require_strong = no<BR> with_ntdomain_hack = yes<BR> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<BR> }<BR>Module: Linked to module rlm_unix<BR>Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix<BR> unix {<BR> radwtmp = "/usr/local/var/log/radius/radwtmp"<BR> }<BR>Module: Linked to module rlm_eap<BR>Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf<BR> eap {<BR> default_eap_type = "peap"<BR> timer_expire = 60<BR> ignore_unknown_eap_types = no<BR> cisco_accounting_username_bug = no<BR> max_sessions = 4096<BR> }<BR>Module: Linked to sub-module rlm_eap_md5<BR>Module: Instantiating eap-md5<BR>Module: Linked to sub-module rlm_eap_leap<BR>Module: Instantiating eap-leap<BR>Module: Linked to sub-module rlm_eap_gtc<BR>Module: Instantiating eap-gtc<BR> gtc {<BR> challenge = "Password: "<BR> auth_type = "PAP"<BR> }<BR>Module: Linked to sub-module rlm_eap_tls<BR>Module: Instantiating eap-tls<BR> tls {<BR> rsa_key_exchange = no<BR> dh_key_exchange = yes<BR> rsa_key_length = 512<BR> dh_key_length = 512<BR> verify_depth = 0<BR> pem_file_type = yes<BR> private_key_file = "/usr/local/etc/raddb/certs/Production/myserver.key"<BR> certificate_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.crt"<BR> CA_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.ca-bundle"<BR> private_key_password = "Burg3rk1ng!"<BR> dh_file = "/usr/local/etc/raddb/certs/Production/dh"<BR> random_file = "/usr/local/etc/raddb/certs/Production/random"<BR> fragment_size = 1024<BR> include_length = yes<BR> check_crl = no<BR> cipher_list = "DEFAULT"<BR> make_cert_command = "/usr/local/etc/raddb/certs/Production/bootstrap"<BR> cache {<BR> enable = no<BR> lifetime = 24<BR> max_entries = 255<BR> }<BR> }<BR>Module: Linked to sub-module rlm_eap_ttls<BR>Module: Instantiating eap-ttls<BR> ttls {<BR> default_eap_type = "md5"<BR> copy_request_to_tunnel = yes<BR> use_tunneled_reply = yes<BR> virtual_server = "inner-tunnel"<BR> include_length = yes<BR> }<BR>Module: Linked to sub-module rlm_eap_peap<BR>Module: Instantiating eap-peap<BR> peap {<BR> default_eap_type = "mschapv2"<BR> copy_request_to_tunnel = yes<BR> use_tunneled_reply = yes<BR> proxy_tunneled_request_as_eap = yes<BR> virtual_server = "inner-tunnel"<BR> }<BR>Module: Linked to sub-module rlm_eap_mschapv2<BR>Module: Instantiating eap-mschapv2<BR> mschapv2 {<BR> with_ntdomain_hack = no<BR> }<BR>Module: Checking authorize {...} for more modules to load<BR>Module: Linked to module rlm_realm<BR>Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm<BR> realm suffix {<BR> format = "suffix"<BR> delimiter = "@"<BR> ignore_default = no<BR> ignore_null = no<BR> }<BR>Module: Linked to module rlm_files<BR>Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files<BR> files {<BR> usersfile = "/usr/local/etc/raddb/users"<BR> acctusersfile = "/usr/local/etc/raddb/acct_users"<BR> preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"<BR> compat = "no"<BR> }<BR>Module: Linked to module rlm_perl<BR>Module: Instantiating module "perl" from file /usr/local/etc/raddb/modules/perl<BR> perl {<BR> module = "/usr/local/etc/raddb/packetfence.pm"<BR> func_authorize = "authorize"<BR> func_authenticate = "authenticate"<BR> func_accounting = "accounting"<BR> func_preacct = "preacct"<BR> func_checksimul = "checksimul"<BR> func_detach = "detach"<BR> func_xlat = "xlat"<BR> func_pre_proxy = "pre_proxy"<BR> func_post_proxy = "post_proxy"<BR> func_post_auth = "post_auth"<BR> func_recv_coa = "recv_coa"<BR> func_send_coa = "send_coa"<BR> }<BR>Module: Checking session {...} for more modules to load<BR>Module: Linked to module rlm_radutmp<BR>Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp<BR> radutmp {<BR> filename = "/usr/local/var/log/radius/radutmp"<BR> username = "%{User-Name}"<BR> case_sensitive = yes<BR> check_with_nas = yes<BR> perm = 384<BR> callerid = yes<BR> }<BR>Module: Checking post-proxy {...} for more modules to load<BR>Module: Checking post-auth {...} for more modules to load<BR>Module: Linked to module rlm_attr_filter<BR>Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter<BR> attr_filter attr_filter.access_reject {<BR> attrsfile = "/usr/local/etc/raddb/attrs.access_reject"<BR> key = "%{User-Name}"<BR> }<BR>} # modules<BR>} # server<BR>server UMHB { # from file /usr/local/etc/raddb/sites-enabled/UMHB<BR>modules {<BR>Module: Checking authenticate {...} for more modules to load<BR>Module: Checking authorize {...} for more modules to load<BR>Module: Linked to module rlm_preprocess<BR>Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess<BR> preprocess {<BR> huntgroups = "/usr/local/etc/raddb/huntgroups"<BR> hints = "/usr/local/etc/raddb/hints"<BR> with_ascend_hack = no<BR> ascend_channels_per_line = 23<BR> with_ntdomain_hack = no<BR> with_specialix_jetstream_hack = no<BR> with_cisco_vsa_hack = no<BR> with_alvarion_vsa_hack = no<BR> }<BR>Module: Checking preacct {...} for more modules to load<BR>Module: Linked to module rlm_acct_unique<BR>Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique<BR> acct_unique {<BR> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<BR> }<BR>Module: Checking accounting {...} for more modules to load<BR>Module: Linked to module rlm_detail<BR>Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail<BR> detail {<BR> detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<BR> header = "%t"<BR> detailperm = 384<BR> dirperm = 493<BR> locking = no<BR> log_packet_header = no<BR> }<BR>Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter<BR> attr_filter attr_filter.accounting_response {<BR> attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"<BR> key = "%{User-Name}"<BR> }<BR>Module: Checking session {...} for more modules to load<BR>Module: Checking post-proxy {...} for more modules to load<BR>Module: Checking post-auth {...} for more modules to load<BR>} # modules<BR>} # server<BR>server Cru { # from file /usr/local/etc/raddb/sites-enabled/Cru<BR>modules {<BR>Module: Checking authenticate {...} for more modules to load<BR>Module: Checking authorize {...} for more modules to load<BR>Module: Checking preacct {...} for more modules to load<BR>Module: Checking accounting {...} for more modules to load<BR>Module: Checking session {...} for more modules to load<BR>Module: Checking post-proxy {...} for more modules to load<BR>Module: Checking post-auth {...} for more modules to load<BR>} # modules<BR>} # server<BR>server { # from file /usr/local/etc/raddb/radiusd.conf<BR>modules {<BR>Module: Checking authenticate {...} for more modules to load<BR>Module: Checking authorize {...} for more modules to load<BR>Module: Checking preacct {...} for more modules to load<BR>Module: Checking accounting {...} for more modules to load<BR>Module: Checking session {...} for more modules to load<BR>Module: Checking post-proxy {...} for more modules to load<BR>Module: Checking post-auth {...} for more modules to load<BR>} # modules<BR>} # server<BR>radiusd: #### Opening IP addresses and Ports ####<BR>listen {<BR> type = "auth"<BR> ipaddr = *<BR> port = 0<BR>}<BR>listen {<BR> type = "acct"<BR> ipaddr = *<BR> port = 0<BR>}<BR>listen {<BR> type = "control"<BR>listen {<BR> socket = "/usr/local/var/run/radiusd/radiusd.sock"<BR>}<BR>}<BR>Listening on authentication address * port 1812<BR>Listening on accounting address * port 1813<BR>Listening on command file /usr/local/var/run/radiusd/radiusd.sock<BR>Listening on proxy address * port 1814<BR>Ready to process requests.<BR>======================================================<BR>rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=226, length=193<BR> User-Name = "host/Lappy.umhb.edu"<BR> NAS-IP-Address = 10.11.60.2<BR> NAS-Port = 129<BR> Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"<BR> Calling-Station-Id = "C4-17-FE-33-C6-A7"<BR> Framed-MTU = 1400<BR> NAS-Port-Type = Wireless-802.11<BR> Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"<BR> EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475<BR> Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801<BR># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 1 length 24<BR>[eap] No EAP Start, assuming it's an on-going EAP conversation<BR>++[eap] returns updated<BR>++[unix] returns notfound<BR>++[files] returns noop<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<BR>++[pap] returns noop<BR>rlm_perl: Added pair NAS-Port-Type = Wireless-802.11<BR>rlm_perl: Added pair Calling-Station-Id = C4-17-FE-33-C6-A7<BR>rlm_perl: Added pair Called-Station-Id = 00-0F-7D-05-0E-81:UMHB Secure WiFi<BR>rlm_perl: Added pair Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801<BR>rlm_perl: Added pair User-Name = host/Lappy.umhb.edu<BR>rlm_perl: Added pair EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475<BR>rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/1Mbps 802.11b<BR>rlm_perl: Added pair EAP-Type = Identity<BR>rlm_perl: Added pair NAS-IP-Address = 10.11.60.2<BR>rlm_perl: Added pair NAS-Port = 129<BR>rlm_perl: Added pair Framed-MTU = 1400<BR>rlm_perl: Added pair Auth-Type = EAP<BR>++[perl] returns noop<BR>Found Auth-Type = EAP<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authenticate {...}<BR>[eap] EAP Identity<BR>[eap] processing type tls<BR>[tls] Initiate<BR>[tls] Start returned 1<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 226 to 10.11.60.2 port 32777<BR> EAP-Message = 0x010200061920<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x330f4dc9330d546872b9f993281128fc<BR>Finished request 0.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=227, length=315<BR> User-Name = "host/Lappy.umhb.edu"<BR> NAS-IP-Address = 10.11.60.2<BR> NAS-Port = 129<BR> Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"<BR> Calling-Station-Id = "C4-17-FE-33-C6-A7"<BR> Framed-MTU = 1400<BR> NAS-Port-Type = Wireless-802.11<BR> Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"<BR> EAP-Message = 0x0202008019800000007616030100710100006d03014d39919676cd85f8dcfe3f2afef335ec7a98b2eb9095d964891b3484c06fc78e000018002f00350005000ac013c014c009c00a00320038001300040100002cff0100010000000013001100000e6c617070792e756d68622e656475000a0006000400170018000b00020100<BR> State = 0x330f4dc9330d546872b9f993281128fc<BR> Message-Authenticator = 0x9165fc9281fe451bdcf9db8487dd8e79<BR># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 2 length 128<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR> TLS Length 118<BR>[peap] Length Included<BR>[peap] eaptls_verify returned 11<BR>[peap] (other): before/accept initialization<BR>[peap] TLS_accept: before/accept initialization<BR>[peap] <<< TLS 1.0 Handshake [length 0071], ClientHello<BR>[peap] TLS_accept: SSLv3 read client hello A<BR>[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello<BR>[peap] TLS_accept: SSLv3 write server hello A<BR>[peap] >>> TLS 1.0 Handshake [length 0ad8], Certificate<BR>[peap] TLS_accept: SSLv3 write certificate A<BR>[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<BR>[peap] TLS_accept: SSLv3 write server done A<BR>[peap] TLS_accept: SSLv3 flush data<BR>[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A<BR>In SSL Handshake Phase<BR>In SSL Accept mode<BR>[peap] eaptls_process returned 13<BR>[peap] EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 227 to 10.11.60.2 port 32777<BR> EAP-Message = 0x0103040019c000000b1c16030100310200002d03014d399195fd2d232a53dfee5dce680c057cfc54fe9686405232871c57112f6efa00002f000005ff010001001603010ad80b000ad4000ad10005cb308205c7308204afa003020102021012949e4e96f5c2b15c9a16c71c4cc811300d06092a864886f70d0101050500308189310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e63652053656375<BR> EAP-Message = 0x726520536572766572204341301e170d3130303831393030303030305a170d3135303831393233353935395a3081db310b3009060355040613025553310e300c060355041113053736353133310b3009060355040813025458310f300d0603550407130642656c746f6e311e301c06035504091315554d48422053746174696f6e20426f782038303035311b30190603550409131239303020436f6c6c6567652053747265657431293027060355040a1320556e6976657273697479206f66204d6172792048617264696e2d4261796c6f723121301f060355040b1318506c6174696e756d53534c205347432057696c64636172643113301106035504<BR> EAP-Message = 0x03140a2a2e756d68622e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100dc8dbc42609826a3a26f48356951f40c4bf97815080528e6445fc6f8e9dfe2d260b1f3202c3e418654e8da0499ea4830c6ef7e1a5525575f1f70e0fe795af97b3774896016f3d275f8e27478e8b49ac8e03122822a72df6c6d4c988ffd456672849e9b62bd1e62f5bf1d24228190e3ca3153391cdd8797a685faaa35446f2dc33d64c4dbd310200ead4d58b2c3de92cf086b1de8a16a8f005feb688574c9cafe87bf878a9d2427ab8f273e533016a63ba4f8addfd6c9f2211052ee9e96e58e3b5e5d9c106e17c47d83a8e0216bf7dc<BR> EAP-Message = 0xd1174db8f8a566c3448912b2dd88413518c160c52b92ee57d46bff425ddd7ae381ad9b66e9448c485322fcff4d13c25e7b0203010001a38201d5308201d1301f0603551d230418301680143fd5b5d0d64479504a17a39b8c4adcb8b022646b301d0603551d0e0416041414a0d258941febc0b7d8a8b40c94615afa260bd4300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030106082b06010505070302060a2b0601040182370a030306096086480186f842040130460603551d20043f303d303b060c2b06010401b2310102010304302b302906082b06010505070201161d<BR> EAP-Message = 0x68747470733a2f2f73656375<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x330f4dc9320c546872b9f993281128fc<BR>Finished request 1.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=228, length=193<BR> User-Name = "host/Lappy.umhb.edu"<BR> NAS-IP-Address = 10.11.60.2<BR> NAS-Port = 129<BR> Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"<BR> Calling-Station-Id = "C4-17-FE-33-C6-A7"<BR> Framed-MTU = 1400<BR> NAS-Port-Type = Wireless-802.11<BR> Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"<BR> EAP-Message = 0x020300061900<BR> State = 0x330f4dc9320c546872b9f993281128fc<BR> Message-Authenticator = 0x735474693c2ad02c4b885b94ea32aad5<BR># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 3 length 6<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR>[peap] Received TLS ACK<BR>[peap] ACK handshake fragment handler<BR>[peap] eaptls_verify returned 1<BR>[peap] eaptls_process returned 13<BR>[peap] EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 228 to 10.11.60.2 port 32777<BR> EAP-Message = 0x010403fc194072652e636f6d6f646f2e636f6d2f435053304f0603551d1f044830463044a042a040863e687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e63726c30818006082b0601050507010104743072304a06082b06010505073002863e687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d301f0603551d1104183016820a2a2e756d68<BR> EAP-Message = 0x622e6564758208756d68622e656475300d06092a864886f70d010105050003820101003fc66065745e65bd58ad5b11aff73555ce334a1fa9b4329d126e4cf335956d58485ed85ec47fff9d8abb5e903319ec7a53384059f3b7c7a23638a843d56e38bf98d0a2cb1c21fc9de26e2cbeb25c855dd196304b6772c3d80da0cce7c8f14f969c375b4f72e729d1422f86114ae73824a06269fb092c6644d0a12997f72071c234a6354b7cbccf4c4887eee1a79dc8f4ee70e32f2aa1a97e0b1c1e8f9d016bffd1f4f6e90a478a89224190d6626787c20285398e54a521ad2faa65b0cf6813b1aa8cfba7ab8c997f9139e01040dd4af899604318f5a2167ce53c<BR> EAP-Message = 0x937c7e72ae0becce9621763408bc6467b4bf05f59a3fd5752c181d52aff7d71026296804930b000500308204fc308203e4a00302010202101690c329b6780607511f05b0344846cb300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3130303431363030303030305a170d3230303533303130343833385a308189310b3009060355040613024742311b301906<BR> EAP-Message = 0x03550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e6365205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e787dac077e4bb3afa6a24c88041acd21613153dfaf7f82a76dca82d3908ce484abe0f7df0debabb47d5bd2dd71bab0f2081230872b1c011950de6eaa987ffc76e1e4f6632ba53bc05aa1c2c0cef4d37476b100cdbc5a0987e58db37d6aee906bdd7a865f3<BR> EAP-Message = 0x37b9c76dce77c726<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x330f4dc9310b546872b9f993281128fc<BR>Finished request 2.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=229, length=193<BR> User-Name = "host/Lappy.umhb.edu"<BR> NAS-IP-Address = 10.11.60.2<BR> NAS-Port = 129<BR> Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"<BR> Calling-Station-Id = "C4-17-FE-33-C6-A7"<BR> Framed-MTU = 1400<BR> NAS-Port-Type = Wireless-802.11<BR> Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"<BR> EAP-Message = 0x020400061900<BR> State = 0x330f4dc9310b546872b9f993281128fc<BR> Message-Authenticator = 0x61212145984f95fcd4339ef828985296<BR># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 4 length 6<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR>[peap] Received TLS ACK<BR>[peap] ACK handshake fragment handler<BR>[peap] eaptls_verify returned 1<BR>[peap] eaptls_process returned 13<BR>[peap] EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 229 to 10.11.60.2 port 32777<BR> EAP-Message = 0x010503361900e0d7741fa69816bb0c6bc8be77d0ef58a729a0b9b8690536cbb2da58a30b75ad3d8b2282203e7086991cb94fcf77a4071a2363d1385684ecbf8fc54ef418969b1ae893ec8daf159c24f05a3be80fb9a85a01d3b21c60c99c5204dd92a7fe0cace2458d0361bc79e0772e87413c585fcbf5c577f258c84d28d09afaf37309246874bc204cd82cb0aae8d94e6df28c24d3935d910203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604143fd5b5d0d64479504a17a39b8c4adcb8b022646b300e0603551d0f0101ff04040302010630120603551d13<BR> EAP-Message = 0x0101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274302506082b060105<BR> EAP-Message = 0x050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d0101050500038201010013851f528018c953f7fe2e1aafccd90b3cc2d3858110f0288db9407e2c9e8fd636860a4c142dd69743924119374b969eeba930791295b3023657ed2bb91d981aa3180a3f9b398bcda149294c2ff9d0958cc84d95baa843cf33aa252a5a0eaa27c94e6bb1e6731fb37404c3f34ce2a8eb67b75db808051a569a542985f5294e803b95d07b53961156c102d3eab27fca8f9c704a148d5ab9166075d6cd271e16cd5b338e7940cf2848e7dc71164e749175b92a8cf170ac26dd04b940c285de1c9340d0cc6ec39baaef6065<BR> EAP-Message = 0xdf6022f05aa57aa22fe47073ee3cd4262b6807c1207ae8985a3e7b9f028b62c085818060357ea51d0cd29cdf62450ddbfc37fbf5252216030100040e000000<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x330f4dc9300a546872b9f993281128fc<BR>Finished request 3.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=230, length=525<BR> User-Name = "host/Lappy.umhb.edu"<BR> NAS-IP-Address = 10.11.60.2<BR> NAS-Port = 129<BR> Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"<BR> Calling-Station-Id = "C4-17-FE-33-C6-A7"<BR> Framed-MTU = 1400<BR> NAS-Port-Type = Wireless-802.11<BR> Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"<BR> EAP-Message = 0x020501501980000001461603010106100001020100d39af533c76344574a1afcff8cf5711ac18414345e29b157f02d808735c6214f74e1701e2163b79beaf3e584d3b7b1d6ef308efd0d1f6ca4f9d64ebe55229852a91e97de906b67813e0bd504510f7d5f80a0b083349314274566ce4ff387c95b4c82fc18b5abfda9feb7f893fe9bebe3572dfa2f5c4fe71abc08d95b10c88d4634ea8bdb9e2e946ec4f165c99deeffdee5a075cab3c1390b71713a5b7f2b77c5c1b0aeef836bfeda5840941c675bd32d04bc7d09017b5763310b4adb16a43833559624612363ea18f63e5e654ad1b255fb2ced330453a06516aabbb6550e5a409286363cef5e7661<BR> EAP-Message = 0x1163bb4e662da80dabf30e1455b1be69bd55c68de35bcb7d1403010001011603010030f378c58fc4f96e96bf4aba29aa08962242ce0e3007898a99849af855f11f5116f7ecea3850db2d6561b4599c404e627a<BR> State = 0x330f4dc9300a546872b9f993281128fc<BR> Message-Authenticator = 0x06d78d3c33e3d757129782abcb1d3133<BR># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 5 length 253<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR> TLS Length 326<BR>[peap] Length Included<BR>[peap] eaptls_verify returned 11<BR>[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange<BR>[peap] TLS_accept: SSLv3 read client key exchange A<BR>[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]<BR>[peap] <<< TLS 1.0 Handshake [length 0010], Finished<BR>[peap] TLS_accept: SSLv3 read finished A<BR>[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]<BR>[peap] TLS_accept: SSLv3 write change cipher spec A<BR>[peap] >>> TLS 1.0 Handshake [length 0010], Finished<BR>[peap] TLS_accept: SSLv3 write finished A<BR>[peap] TLS_accept: SSLv3 flush data<BR>[peap] (other): SSL negotiation finished successfully<BR>SSL Connection Established<BR>[peap] eaptls_process returned 13<BR>[peap] EAPTLS_HANDLED<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 230 to 10.11.60.2 port 32777<BR> EAP-Message = 0x010600411900140301000101160301003005369ff6b06a4224824062f6fcfe0092357c4da2fd59baab8c1c5b071e939e71e83b578bd081ee5fa8d3ac3566b8a1bd<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0x330f4dc93709546872b9f993281128fc<BR>Finished request 4.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=231, length=234<BR> User-Name = "host/Lappy.umhb.edu"<BR> NAS-IP-Address = 10.11.60.2<BR> NAS-Port = 129<BR> Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"<BR> Calling-Station-Id = "C4-17-FE-33-C6-A7"<BR> Framed-MTU = 1400<BR> NAS-Port-Type = Wireless-802.11<BR> Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"<BR> EAP-Message = 0x0206002f198000000025150301002071521862587c6d52360e98091cd5d99f81ea6febe82fd2a7401f8b1970c3cf65<BR> State = 0x330f4dc93709546872b9f993281128fc<BR> Message-Authenticator = 0xe0cebdb5cdcd98a378bd88f15213b843<BR># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] EAP packet type response id 6 length 47<BR>[eap] Continuing tunnel setup.<BR>++[eap] returns ok<BR>Found Auth-Type = EAP<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP/peap<BR>[eap] processing type peap<BR>[peap] processing EAP-TLS<BR> TLS Length 37<BR>[peap] Length Included<BR>[peap] eaptls_verify returned 11<BR>[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied<BR>TLS Alert read:fatal:access denied<BR>[peap] WARNING: No data inside of the tunnel.<BR>[peap] eaptls_process returned 7<BR>[peap] EAPTLS_OK<BR>[peap] Session established. Decoding tunneled attributes.<BR>[peap] Peap state ?<BR>[peap] FAILED processing PEAP: Tunneled data is invalid.<BR>[eap] Handler failed in EAP/peap<BR>[eap] Failed in EAP select<BR>++[eap] returns invalid<BR>Failed to authenticate the user.<BR>Using Post-Auth-Type Reject<BR># Executing group from file /usr/local/etc/raddb/sites-enabled/default<BR>+- entering group REJECT {...}<BR>[attr_filter.access_reject] expand: %{User-Name} -> host/Lappy.umhb.edu<BR>attr_filter: Matched entry DEFAULT at line 11<BR>++[attr_filter.access_reject] returns updated<BR>Delaying reject of request 5 for 1 seconds<BR>Going to the next request<BR>Waking up in 0.9 seconds.<BR>Sending delayed reject for request 5<BR>Sending Access-Reject of id 231 to 10.11.60.2 port 32777<BR> EAP-Message = 0x04060004<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR>Waking up in 3.9 seconds.<BR>Cleaning up request 0 ID 226 with timestamp +18<BR>Cleaning up request 1 ID 227 with timestamp +18<BR>Cleaning up request 2 ID 228 with timestamp +18<BR>Cleaning up request 3 ID 229 with timestamp +18<BR>Cleaning up request 4 ID 230 with timestamp +18<BR>Waking up in 1.0 seconds.<BR>Cleaning up request 5 ID 231 with timestamp +18<BR>Ready to process requests.<BR><BR><BR>Jake Sallee<BR>Godfather of Bandwidth<BR>Network Engineer<BR>University of Mary Hardin-Baylor<BR><BR>900 College St.<BR>Belton, Texas<BR>76513<BR><BR>Fone: 254-295-4658<BR>Phax: 254-295-4221<BR>________________________________<BR>From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] on behalf of Peter Lambrechtsen [plambrechtsen@gmail.com]<BR>Sent: Friday, January 21, 2011 7:11 AM<BR>To: FreeRadius users mailing list<BR>Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS<BR><BR>On Fri, Jan 21, 2011 at 10:33 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk>> wrote:<BR>> 2) Issuing client certs isn't that difficult.? with windows vista/7,<BR>> installing a cert is a simple double-click operation, so if they have a<BR>> usb flash, you can use linux to zip a copy of their private key and a .doc<BR>> with instructions (including screenies!) on configuring their OS in a<BR>> matter of seconds, all they have to do is stop by IT to request a key<BR>> once, and it's good for as long as you honour it.<BR><BR>if dealing with client keys - most of the times its just PEAP with user/pass<BR>and its the CA thats an issue. even then there are ways of doing this quite<BR>easily... eg <A href="https://su1x.sf.net">https://su1x.sf.net</A><BR><BR>I also quite like using the root certificates tool which happily imports certificates into the root certificate store in windows.<BR><BR>Go to here: <A href="http://support.microsoft.com/kb/931125">http://support.microsoft.com/kb/931125</A><BR><BR>Download the "rootsupd.exe<<A href="http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe">http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe</A>>" from there and expand it with winzip or winrar.<BR><BR>Then convert your DER file into a P7B using OpenSSL:<BR><BR>openssl crl2pkcs7 -nocrl -certfile internalca1.der -certfile internalca2.der -out internalca.p7b<BR><BR>Then use "updroots.exe" included in the exe to import the certificate into your local certificate chain:<BR><BR>updroots -l internalca.p7b<BR><BR>And you're done<BR><BR>You can even use "iexpress" if you're running windows XP to re-package everything back into a self extracting exe.<BR><BR>-<BR>List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR></DIV></TD></TR></TBODY></TABLE></BODY></HTML>