I created once again certs by myself, giving common name for user cert the same like in example
user@example.com, I place them on xp client - both of them looks ok,
now something is happening (anyway like Aragorn said: "still not king"):


Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user@example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user@example.com"
[suffix] Found realm "example.com"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com.  Not doing EAP.
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 14 to 127.0.0.1 port 1812
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x323036
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 14 to 127.0.0.1 port 1812
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x323036
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14, length=140
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633
        Proxy-State = 0x323036
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> user
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 14 to 127.0.0.1 port 1814
        Proxy-State = 0x323036
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14, length=25
        Proxy-State = 0x323036
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> user@example.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 206 to 192.168.5.206 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 14 with timestamp +43
Cleaning up request 0 ID 206 with timestamp +43
Ready to process requests.




On Tue, May 19, 2009 at 2:23 PM, Bartosz Chodzinski <bartosz.c@gmail.com> wrote:
So in other words this script is for all clients exept microsofts-like ?
>You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate.
do you have such altered makefile?




On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik <tnt@kalik.net> wrote:
> # make client
>
> next I made a copy of ca.der and client.p12 to xp directory,
> next I opened mmc and install both of them to Trusted Root Certificate
> Authorities and to Personal
>
> exclamation mark on client certificate:
> "windows does not have enough information to verify this certificate"
> "you have private key that corresponds to this certificate"
>

This is explained in raddb/certs/README - Compatibility. You should try
altering make client command in Makefile so that client certificates are
signed by ca and not server certificate.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html