I created once again certs by myself, giving common name for user cert the same like in example user@example.com, I place them on xp client - both of them looks ok, now something is happening (anyway like Aragorn said: "still not king"): Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323036 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323036 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14, length=140 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633 Proxy-State = 0x323036 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 14 to 127.0.0.1 port 1814 Proxy-State = 0x323036 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14, length=25 Proxy-State = 0x323036 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 206 to 192.168.5.206 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 14 with timestamp +43 Cleaning up request 0 ID 206 with timestamp +43 Ready to process requests. On Tue, May 19, 2009 at 2:23 PM, Bartosz Chodzinski <bartosz.c@gmail.com>wrote:
So in other words this script is for all clients exept microsofts-like ?
You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. do you have such altered makefile?
On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik <tnt@kalik.net> wrote:
# make client
next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal
exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate"
This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html