<div dir="ltr"><div>I change rule and this is solved<br><br></div>My file users<br><div>_______________________________________<br><br>DEFAULT Huntgroup-Name == "cisco"<br> Service-Type = NAS-Prompt-User,<br>
Cisco-AVPair = "shell:priv-lvl=15",<br> Fall-Through = Yes<br> <br> <br> <br>DEFAULT Group == "Central" <br>
DEFAULT Group == "DEP25", Client-Shortname == "25"<br>DEFAULT Group == "DEP29", Client-Shortname == "29"<br><div><div class="gmail_extra">DEFAULT Group == "DEP57", Client-Shortname == "57"<br>
DEFAULT Auth-Type := Reject<br>______________________________________<br><br><br></div><div class="gmail_extra">For my second problem ,It isn't resolve.<br>debug :<br>Error: TLS Alert read:fatal:unknown CA<br>
Sun Feb 2 22:03:14 2014 : Error: TLS_accept: failed in SSLv3 read client certificate A<br>Sun Feb 2 22:03:14 2014 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<br>Sun Feb 2 22:03:14 2014 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.<br>
<br>and trace user:<br> ./eapol_test -c eapol-config -a xen-squeeze-freeradius -p 1812 -s testing123 -r1<br><br>EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>
EAP: Received EAP-Request id=4 method=21 vendor=0 vendorMethod=0<br>EAP: EAP entering state METHOD<br>SSL: Received packet(len=509) - Flags 0x80<br>SSL: TLS Message Length: 2527<br>SSL: (where=0x1001 ret=0x1)<br>SSL: SSL_connect:SSLv3 read server hello A<br>
<span style="background-color:rgb(255,217,102)">TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 1 for '/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=<a href="http://admin@example.com/CN=xen-squeeze-freeradius">admin@example.com/CN=xen-squeeze-freeradius</a>'<br>
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=<a href="http://admin@example.com/CN=xen-squeeze-freeradius">admin@example.com/CN=xen-squeeze-freeradius</a>' err='self signed certificate in certificate chain'<br>
</span>SSL: (where=0x4008 ret=0x230)<br>SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA<br>SSL: (where=0x1002 ret=0xffffffff)<br>SSL: SSL_connect:error in SSLv3 read server certificate B<br>OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<br>
SSL: 7 bytes pending from ssl_out<br>SSL: Failed - tls_out available to report error<br>SSL: 7 bytes left to be sent out (of total 7 bytes)<br>EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL<br>
EAP: EAP entering state SEND_RESPONSE<br>
EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RESPONSE<br><br></div><div class="gmail_extra">My ca.cnf<br>...<br>[ req ]<br>prompt = no<br>distinguished_name = certificate_authority<br>default_bits = 2048<br>
input_password = whatever<br>output_password = whatever<br>x509_extensions = v3_ca<br><br>[certificate_authority]<br>countryName = FR<br>stateOrProvinceName = Radius<br>localityName = Somewhere<br>
organizationName = Example Inc.<br>emailAddress = <a href="mailto:admin@example.com">admin@example.com</a><br>commonName = "xen-squeeze-freeradius"<br><br>[v3_ca]<br>subjectKeyIdentifier = hash<br>
authorityKeyIdentifier = keyid:always,issuer:always<br>basicConstraints = CA:true<br>...<br><br></div><div class="gmail_extra">My server.cnf<br>...<br>[ req ]<br>prompt = no<br>distinguished_name = server<br>
default_bits = 2048<br>input_password = whatever<br>output_password = whatever<br><br>[server]<br>countryName = FR<br>stateOrProvinceName = Radius<br>localityName = Somewhere<br>organizationName = Example Inc.<br>
emailAddress = <a href="mailto:admin@example.com">admin@example.com</a><br>commonName = "xen-squeeze-freeradius"<br></div><div class="gmail_extra"><br><br><span style="background-color:rgb(255,217,102)">err='self signed certificate in certificate chain'</span><br>
<span id="result_box" class="" lang="en"><span class="">I followed the</span> <span class="">guide</span> <span class=""><a href="http://deployingradius.com/documents/configuration/certificates.html">http://deployingradius.com/documents/configuration/certificates.html</a></span> <br>
<span class="">but</span> <span class="">Freeradius</span> <span class="">error</span> <span class="">is</span> <span class="">"</span><span>self-signed certificate</span><span>."</span> <span class="">How to remove</span> <span class="">this error?</span></span><br>
</div><div class="gmail_extra">
thank you!!!!<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2014-01-31 Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Yves Deuscher wrote:<br>
> For DEP commissioned the first connection goes well<br>
><br>
><br>
> Thu Jan 30 23:48:28 2014 : Info: ++[eap] returns noop<br>
> Thu Jan 30 23:48:28 2014 : Info: ++[unix] returns updated<br>
> Thu Jan 30 23:48:28 2014 : Info: [files] expand:<br>
> %{Client-Shortname} -> DEP25<br>
> Thu Jan 30 23:48:28 2014 : Info: [files] users: Matched entry DEFAULT at<br>
> line 208<br>
> Thu Jan 30 23:48:28 2014 : Info: ++[files] returns ok<br>
<br>
</div> You'll have to look at the rest of the debug log to see what's going on.<br>
<br>
If the packets are being processed differently, it's because the<br>
packets are different. You'll have to look at the packets to see what's<br>
different. Then, re-write the rules to match both packets.<br>
<div><br>
> I miss something for the dynamic substitution takes place at each<br>
> connection or I can not be the problem taken in the right direction have?<br>
<br>
</div> Each packet is completely independent. FreeRADIUS doesn't change it's<br>
behavior from one packet to the next.<br>
<div><br>
> More I try to configure a secure WPA / TTLS working with all key<br>
> calculated installing Freeradius. by cons with mine I have a CA_unknown<br>
> error do you have a clue?<br>
<br>
</div> Follow the EAP guide on <a href="http://deployingradius.com/" target="_blank">http://deployingradius.com/</a> . It *will* work.<br>
<br>
If you have unknown CA errors, it's because the certificate<br>
configuration is wrong. Follow the guide.<br>
<span><font color="#888888"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</font></span></blockquote></div><br></div></div></div></div>