So i really wonder where is the problem !!! maybe it is due to the hardware i use... my switch is wireless controller -all AP rceive their config (RF, SSID, channels, Power Radio, security styuffs, etc..) from the switch. so when RADIUS authentication is set-up, every AP have to be authenticated by Freeradius before receiving the correct parameters by FR, using its @MAC as login and the word NOPASSWORD as password (that the theoroy said. cause i had to set Auth-Type := Accept to make it work). at this stage, authenticator is the wireless switch. it works with or without 802.1x ON. it work fine, and the AP are well manged by a centralpoint. no RADIUS problem with AP authetication. - step2: when an AP is recognized, end-users have to be autneticated too by RADIUS. this step, like the documentation says, the managed AP becomes "Authenticator". -so an entry exist for every AP in clients.conf too) during the connection attempts, Radius receive acess request, and the correct certificate is chosen -he give me the correcte commonnameof certificate- but i think the supplicant (end-user on xp) never receive the access-challenge, even if it is sent by RADIUS Server. i don't know if i am well understood or if I "do" misundertood something but it works like that at me now. i installed, reinstalled and formated so much time that i am convincedthat i won't success alone. Hey Ivan, won't you try to help me to fix this stone? i have definitely nodelay anymore, and no solution too. Freeradius is your own and i ma pretty sure that we could both fix the problem between a quarter or a half if you take fulll remote control of my computer and network, assisting you and telling my purpose. thanx for help. ----- Message d'origine ---- De : Ivan Kalik <tnt@kalik.net> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Envoyé le : Lundi, 19 Mai 2008, 0h37mn 23s Objet : RE: Re : Re : Re : howto EAP-TLS on freeradius 2.0.2-3 ??
Ok, we assume my certificates are corrects.
So i have some more questions:
- Certificate should be import for user accounts or for computer account ?
Who/what ever is you supplicant trying to authenticate. If the supplicant can't find the correct certificate it will give up.
- i use the file "users" as database for my accounts; when using eap-tls when trying eap-peap my accounts looks like that:
johndoe Auth-Type: = EAP, User-Password == �test1234" Tunnel-Type = 13, Tunnel-Medium-Type = 6,
or
johndoe User-Password == �test1234" Tunnel-Type = 13, Tunnel-Medium-Type = 6,
No, don't use Auth-Type. Use Cleartext-Password or NT-Password (names clearly suugest are they encrypted and how) with mschap.
- when i use eap-tls, it looks like that:
johndoe Tunnel-Type = 13, Tunnel-Medium-Type = 6,
and sometimes, i add add the assignment of Vlan by using the attribute '
Tunnel-Private-Group-ID = 100" -vlan 100 is affected to the ssid i am interested in-
is it correct?
It will work, but it's more common to use "human" values (VLAN and IEEE-802). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail