I change rule and this is solved

My file users
_______________________________________

DEFAULT         Huntgroup-Name == "cisco"
                Service-Type = NAS-Prompt-User,
                Cisco-AVPair = "shell:priv-lvl=15",
                Fall-Through = Yes
               
               
               
DEFAULT         Group == "Central"               
DEFAULT         Group == "DEP25", Client-Shortname == "25"
DEFAULT         Group == "DEP29", Client-Shortname == "29"
DEFAULT         Group == "DEP57", Client-Shortname == "57"
DEFAULT         Auth-Type := Reject
______________________________________


For my second problem ,It isn't resolve.
debug :
Error: TLS Alert read:fatal:unknown CA
Sun Feb  2 22:03:14 2014 : Error:     TLS_accept: failed in SSLv3 read client certificate A
Sun Feb  2 22:03:14 2014 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Sun Feb  2 22:03:14 2014 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.

and trace user:
 ./eapol_test -c eapol-config -a xen-squeeze-freeradius -p 1812 -s testing123 -r1

EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=4 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=509) - Flags 0x80
SSL: TLS Message Length: 2527
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 1 for '/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=xen-squeeze-freeradius'
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=xen-squeeze-freeradius' err='self signed certificate in certificate chain'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
SSL: 7 bytes left to be sent out (of total 7 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE

My ca.cnf
...
[ req ]
prompt            = no
distinguished_name    = certificate_authority
default_bits        = 2048
input_password        = whatever
output_password        = whatever
x509_extensions        = v3_ca

[certificate_authority]
countryName        = FR
stateOrProvinceName    = Radius
localityName        = Somewhere
organizationName    = Example Inc.
emailAddress        = admin@example.com
commonName        = "xen-squeeze-freeradius"

[v3_ca]
subjectKeyIdentifier    = hash
authorityKeyIdentifier    = keyid:always,issuer:always
basicConstraints    = CA:true
...

My server.cnf
...
[ req ]
prompt            = no
distinguished_name    = server
default_bits        = 2048
input_password        = whatever
output_password        = whatever

[server]
countryName        = FR
stateOrProvinceName    = Radius
localityName        = Somewhere
organizationName    = Example Inc.
emailAddress        = admin@example.com
commonName        = "xen-squeeze-freeradius"


err='self signed certificate in certificate chain'
I followed the guide http://deployingradius.com/documents/configuration/certificates.html
but Freeradius error is "self-signed certificate." How to remove this error?

thank you!!!!



2014-01-31 Alan DeKok <aland@deployingradius.com>:
Yves Deuscher wrote:
> For DEP commissioned the first connection goes well
>
>
> Thu Jan 30 23:48:28 2014 : Info: ++[eap] returns noop
> Thu Jan 30 23:48:28 2014 : Info: ++[unix] returns updated
> Thu Jan 30 23:48:28 2014 : Info: [files]        expand:
> %{Client-Shortname} -> DEP25
> Thu Jan 30 23:48:28 2014 : Info: [files] users: Matched entry DEFAULT at
> line 208
> Thu Jan 30 23:48:28 2014 : Info: ++[files] returns ok

  You'll have to look at the rest of the debug log to see what's going on.

  If the packets are being processed differently, it's because the
packets are different.  You'll have to look at the packets to see what's
different.  Then, re-write the rules to match both packets.

> I miss something for the dynamic substitution takes place at each
> connection or I can not be the problem taken in the right direction have?

  Each packet is completely independent.  FreeRADIUS doesn't change it's
behavior from one packet to the next.

> More I try to configure a secure WPA / TTLS working with all key
> calculated installing Freeradius. by cons with mine I have a CA_unknown
> error do you have a clue?

  Follow the EAP guide on http://deployingradius.com/ .   It *will* work.

  If you have unknown CA errors, it's because the certificate
configuration is wrong.  Follow the guide.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html