|
Has anyone gotten windows clients to work WITHOUT having to do any manual config on the clients? Is it even possible? Also, I have my shiny new publicly signed cert from comodo but my clients are still rejecting the connection ... i think the error is here: [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. But I don't know why i would be getting a read error, the certs that i installed have the same permissions as the test certs... here is the full debug, any help is appreciated: FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Sep 28 2010 at 09:20:29 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/UMHB including configuration file /usr/local/etc/raddb/sites-available/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/Cru including configuration file /usr/local/etc/raddb/sites-available/default including configuration file /usr/local/etc/raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 25600 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover nostrip } realm LOCAL { } realm Cru { } realm Cru.umhb.edu { } realm umhb { } realm umhb.edu { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.2.1.75/32 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "PacketFence" } client 10.11.30.0/24 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "Sanderford" } client 10.11.60.0/24 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "Sanderford" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/Production/myserver.key" certificate_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.crt" CA_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.ca-bundle" private_key_password = "Burg3rk1ng!" dh_file = "/usr/local/etc/raddb/certs/Production/dh" random_file = "/usr/local/etc/raddb/certs/Production/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/Production/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /usr/local/etc/raddb/modules/perl perl { module = "/usr/local/etc/raddb/packetfence.pm" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server UMHB { # from file /usr/local/etc/raddb/sites-enabled/UMHB modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server Cru { # from file /usr/local/etc/raddb/sites-enabled/Cru modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ====================================================== rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=226, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475 Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 24 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = C4-17-FE-33-C6-A7 rlm_perl: Added pair Called-Station-Id = 00-0F-7D-05-0E-81:UMHB Secure WiFi rlm_perl: Added pair Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801 rlm_perl: Added pair User-Name = host/Lappy.umhb.edu rlm_perl: Added pair EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475 rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/1Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.11.60.2 rlm_perl: Added pair NAS-Port = 129 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 226 to 10.11.60.2 port 32777 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9330d546872b9f993281128fc Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=227, length=315 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0202008019800000007616030100710100006d03014d39919676cd85f8dcfe3f2afef335ec7a98b2eb9095d964891b3484c06fc78e000018002f00350005000ac013c014c009c00a00320038001300040100002cff0100010000000013001100000e6c617070792e756d68622e656475000a0006000400170018000b00020100 State = 0x330f4dc9330d546872b9f993281128fc Message-Authenticator = 0x9165fc9281fe451bdcf9db8487dd8e79 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 118 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0071], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0ad8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 227 to 10.11.60.2 port 32777 EAP-Message = 0x0103040019c000000b1c16030100310200002d03014d399195fd2d232a53dfee5dce680c057cfc54fe9686405232871c57112f6efa00002f000005ff010001001603010ad80b000ad4000ad10005cb308205c7308204afa003020102021012949e4e96f5c2b15c9a16c71c4cc811300d06092a864886f70d0101050500308189310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e63652053656375 EAP-Message = 0x726520536572766572204341301e170d3130303831393030303030305a170d3135303831393233353935395a3081db310b3009060355040613025553310e300c060355041113053736353133310b3009060355040813025458310f300d0603550407130642656c746f6e311e301c06035504091315554d48422053746174696f6e20426f782038303035311b30190603550409131239303020436f6c6c6567652053747265657431293027060355040a1320556e6976657273697479206f66204d6172792048617264696e2d4261796c6f723121301f060355040b1318506c6174696e756d53534c205347432057696c64636172643113301106035504 EAP-Message = 0x03140a2a2e756d68622e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100dc8dbc42609826a3a26f48356951f40c4bf97815080528e6445fc6f8e9dfe2d260b1f3202c3e418654e8da0499ea4830c6ef7e1a5525575f1f70e0fe795af97b3774896016f3d275f8e27478e8b49ac8e03122822a72df6c6d4c988ffd456672849e9b62bd1e62f5bf1d24228190e3ca3153391cdd8797a685faaa35446f2dc33d64c4dbd310200ead4d58b2c3de92cf086b1de8a16a8f005feb688574c9cafe87bf878a9d2427ab8f273e533016a63ba4f8addfd6c9f2211052ee9e96e58e3b5e5d9c106e17c47d83a8e0216bf7dc EAP-Message = 0xd1174db8f8a566c3448912b2dd88413518c160c52b92ee57d46bff425ddd7ae381ad9b66e9448c485322fcff4d13c25e7b0203010001a38201d5308201d1301f0603551d230418301680143fd5b5d0d64479504a17a39b8c4adcb8b022646b301d0603551d0e0416041414a0d258941febc0b7d8a8b40c94615afa260bd4300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030106082b06010505070302060a2b0601040182370a030306096086480186f842040130460603551d20043f303d303b060c2b06010401b2310102010304302b302906082b06010505070201161d EAP-Message = 0x68747470733a2f2f73656375 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9320c546872b9f993281128fc Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=228, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020300061900 State = 0x330f4dc9320c546872b9f993281128fc Message-Authenticator = 0x735474693c2ad02c4b885b94ea32aad5 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 228 to 10.11.60.2 port 32777 EAP-Message = 0x010403fc194072652e636f6d6f646f2e636f6d2f435053304f0603551d1f044830463044a042a040863e687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e63726c30818006082b0601050507010104743072304a06082b06010505073002863e687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d301f0603551d1104183016820a2a2e756d68 EAP-Message = 0x622e6564758208756d68622e656475300d06092a864886f70d010105050003820101003fc66065745e65bd58ad5b11aff73555ce334a1fa9b4329d126e4cf335956d58485ed85ec47fff9d8abb5e903319ec7a53384059f3b7c7a23638a843d56e38bf98d0a2cb1c21fc9de26e2cbeb25c855dd196304b6772c3d80da0cce7c8f14f969c375b4f72e729d1422f86114ae73824a06269fb092c6644d0a12997f72071c234a6354b7cbccf4c4887eee1a79dc8f4ee70e32f2aa1a97e0b1c1e8f9d016bffd1f4f6e90a478a89224190d6626787c20285398e54a521ad2faa65b0cf6813b1aa8cfba7ab8c997f9139e01040dd4af899604318f5a2167ce53c EAP-Message = 0x937c7e72ae0becce9621763408bc6467b4bf05f59a3fd5752c181d52aff7d71026296804930b000500308204fc308203e4a00302010202101690c329b6780607511f05b0344846cb300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3130303431363030303030305a170d3230303533303130343833385a308189310b3009060355040613024742311b301906 EAP-Message = 0x03550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e6365205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e787dac077e4bb3afa6a24c88041acd21613153dfaf7f82a76dca82d3908ce484abe0f7df0debabb47d5bd2dd71bab0f2081230872b1c011950de6eaa987ffc76e1e4f6632ba53bc05aa1c2c0cef4d37476b100cdbc5a0987e58db37d6aee906bdd7a865f3 EAP-Message = 0x37b9c76dce77c726 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9310b546872b9f993281128fc Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=229, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x330f4dc9310b546872b9f993281128fc Message-Authenticator = 0x61212145984f95fcd4339ef828985296 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 229 to 10.11.60.2 port 32777 EAP-Message = 0x010503361900e0d7741fa69816bb0c6bc8be77d0ef58a729a0b9b8690536cbb2da58a30b75ad3d8b2282203e7086991cb94fcf77a4071a2363d1385684ecbf8fc54ef418969b1ae893ec8daf159c24f05a3be80fb9a85a01d3b21c60c99c5204dd92a7fe0cace2458d0361bc79e0772e87413c585fcbf5c577f258c84d28d09afaf37309246874bc204cd82cb0aae8d94e6df28c24d3935d910203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604143fd5b5d0d64479504a17a39b8c4adcb8b022646b300e0603551d0f0101ff04040302010630120603551d13 EAP-Message = 0x0101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274302506082b060105 EAP-Message = 0x050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d0101050500038201010013851f528018c953f7fe2e1aafccd90b3cc2d3858110f0288db9407e2c9e8fd636860a4c142dd69743924119374b969eeba930791295b3023657ed2bb91d981aa3180a3f9b398bcda149294c2ff9d0958cc84d95baa843cf33aa252a5a0eaa27c94e6bb1e6731fb37404c3f34ce2a8eb67b75db808051a569a542985f5294e803b95d07b53961156c102d3eab27fca8f9c704a148d5ab9166075d6cd271e16cd5b338e7940cf2848e7dc71164e749175b92a8cf170ac26dd04b940c285de1c9340d0cc6ec39baaef6065 EAP-Message = 0xdf6022f05aa57aa22fe47073ee3cd4262b6807c1207ae8985a3e7b9f028b62c085818060357ea51d0cd29cdf62450ddbfc37fbf5252216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9300a546872b9f993281128fc Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=230, length=525 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020501501980000001461603010106100001020100d39af533c76344574a1afcff8cf5711ac18414345e29b157f02d808735c6214f74e1701e2163b79beaf3e584d3b7b1d6ef308efd0d1f6ca4f9d64ebe55229852a91e97de906b67813e0bd504510f7d5f80a0b083349314274566ce4ff387c95b4c82fc18b5abfda9feb7f893fe9bebe3572dfa2f5c4fe71abc08d95b10c88d4634ea8bdb9e2e946ec4f165c99deeffdee5a075cab3c1390b71713a5b7f2b77c5c1b0aeef836bfeda5840941c675bd32d04bc7d09017b5763310b4adb16a43833559624612363ea18f63e5e654ad1b255fb2ced330453a06516aabbb6550e5a409286363cef5e7661 EAP-Message = 0x1163bb4e662da80dabf30e1455b1be69bd55c68de35bcb7d1403010001011603010030f378c58fc4f96e96bf4aba29aa08962242ce0e3007898a99849af855f11f5116f7ecea3850db2d6561b4599c404e627a State = 0x330f4dc9300a546872b9f993281128fc Message-Authenticator = 0x06d78d3c33e3d757129782abcb1d3133 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 230 to 10.11.60.2 port 32777 EAP-Message = 0x010600411900140301000101160301003005369ff6b06a4224824062f6fcfe0092357c4da2fd59baab8c1c5b071e939e71e83b578bd081ee5fa8d3ac3566b8a1bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc93709546872b9f993281128fc Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=231, length=234 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0206002f198000000025150301002071521862587c6d52360e98091cd5d99f81ea6febe82fd2a7401f8b1970c3cf65 State = 0x330f4dc93709546872b9f993281128fc Message-Authenticator = 0xe0cebdb5cdcd98a378bd88f15213b843 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 47 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 37 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/Lappy.umhb.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 231 to 10.11.60.2 port 32777 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 226 with timestamp +18 Cleaning up request 1 ID 227 with timestamp +18 Cleaning up request 2 ID 228 with timestamp +18 Cleaning up request 3 ID 229 with timestamp +18 Cleaning up request 4 ID 230 with timestamp +18 Waking up in 1.0 seconds. Cleaning up request 5 ID 231 with timestamp +18 Ready to process requests. Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] on behalf of Peter Lambrechtsen [plambrechtsen@gmail.com] Sent: Friday, January 21, 2011 7:11 AM To: FreeRadius users mailing list Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS On Fri, Jan 21, 2011 at 10:33 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk>> wrote: > 2) Issuing client certs isn't that difficult.? with windows vista/7, > installing a cert is a simple double-click operation, so if they have a > usb flash, you can use linux to zip a copy of their private key and a .doc > with instructions (including screenies!) on configuring their OS in a > matter of seconds, all they have to do is stop by IT to request a key > once, and it's good for as long as you honour it. if dealing with client keys - most of the times its just PEAP with user/pass and its the CA thats an issue. even then there are ways of doing this quite easily... eg https://su1x.sf.net I also quite like using the root certificates tool which happily imports certificates into the root certificate store in windows. Go to here: http://support.microsoft.com/kb/931125 Download the "rootsupd.exe<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe>" from there and expand it with winzip or winrar. Then convert your DER file into a P7B using OpenSSL: openssl crl2pkcs7 -nocrl -certfile internalca1.der -certfile internalca2.der -out internalca.p7b Then use "updroots.exe" included in the exe to import the certificate into your local certificate chain: updroots -l internalca.p7b And you're done You can even use "iexpress" if you're running windows XP to re-package everything back into a self extracting exe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |