I created once again certs by myself, giving common name for user cert the same like in example
user@example.com, I place them on xp client - both of them looks ok,
now something is happening (anyway like Aragorn said: "still not king"):
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user@example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x020000150175736572406578616d706c652e636f6d
Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user@example.com"
[suffix] Found realm "example.com"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com. Not doing EAP.
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 14 to 127.0.0.1 port 1812
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x020000150175736572406578616d706c652e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x323036
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 14 to 127.0.0.1 port 1812
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x020000150175736572406578616d706c652e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x323036
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14, length=140
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x020000150175736572406578616d706c652e636f6d
Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633
Proxy-State = 0x323036
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 14 to 127.0.0.1 port 1814
Proxy-State = 0x323036
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14, length=25
Proxy-State = 0x323036
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user@example.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 206 to 192.168.5.206 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 14 with timestamp +43
Cleaning up request 0 ID 206 with timestamp +43
Ready to process requests.
So in other words this script is for all clients exept microsofts-like ?>You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate.do you have such altered makefile?
On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik <tnt@kalik.net> wrote:> # make clientThis is explained in raddb/certs/README - Compatibility. You should try
>
> next I made a copy of ca.der and client.p12 to xp directory,
> next I opened mmc and install both of them to Trusted Root Certificate
> Authorities and to Personal
>
> exclamation mark on client certificate:
> "windows does not have enough information to verify this certificate"
> "you have private key that corresponds to this certificate"
>
altering make client command in Makefile so that client certificates are
signed by ca and not server certificate.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html