-------- Original-Nachricht --------
Datum: Wed, 30 Jan 2008 09:28:31 -0500 Von: "Wm. Josiah Erikson" <wjerikson@hampshire.edu> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: deactivate ldap.attrmap
What struck me was that you need more attributes, but maybe I missed them:
-cacertfile -certfile -keyfile
-Josiah
I also tried a configuration with these attributes, but the error was the same. in my config there is at the moment only the "cacertfile", which is needed for the check of the edirectory-server-certificate. In my opinion, i don't need the certfile and keyfile for eap-tls, because the edirectory-server doesn't check the freeradius-server-certificate. Is this correct?!?
Sebastian
Sebastian Heil wrote:
Sebastian Heil wrote: ...
i added the following lines to the ldap-section:
...
rlm_ldap: could not start TLS Can't contact LDAP server
Maybe you need to check that there is an LDAP server listening on that port?
Alan DeKok.
thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the
communication
between the freeradius and the edirectory with etherreal:
Someone any idea about the "Encrypted Alert" in no. 14?? Thanks.
--------------------- No. Time Source Destination
Protocol Info
1 0.000000 radtestclient freeradius RADIUS
Access-Request(1) (id=74, l=58)
3 0.000749 freeradius edirectory TCP
56302 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2
5 0.012986 edirectory freeradius TCP
ldaps > 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676
6 0.013057 freeradius edirectory TCP
56302 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196
7 0.013639 freeradius edirectory SSLv2
Client Hello
8 0.021887 edirectory freeradius TLSv1
Server Hello,
9 0.022035 freeradius edirectory TCP
56302 > ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206
10 0.030390 edirectory freeradius TLSv1
Certificate
11 0.030550 freeradius edirectory TCP
56302 > ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215
12 0.032263 freeradius edirectory TLSv1
Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
13 0.048990 edirectory freeradius TLSv1
Change Cipher Spec, Encrypted Handshake Message
14 0.049652 freeradius edirectory TLSv1
Encrypted Alert
15 0.049923 freeradius edirectory TCP
56302 > ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237
17 0.057441 edirectory freeradius TCP
ldaps > 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689
18 0.057774 edirectory freeradius TLSv1
Encrypted Alert
19 0.057807 freeradius edirectory TCP
56302 > ldaps [RST] Seq=507 Len=0
20 0.057880 edirectory freeradius TCP
ldaps > 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689
21 0.057903 freeradius edirectory TCP
56302 > ldaps [RST] Seq=507 Len=0
I think, i found the problem. the client starts the session with the client hello-packet. I think, the protocol of the client-hello-packet is wrong, its not tls, but sslv2. for example in sslv2 the random-number is missing. Is there a way to change the client-hello packet to tls, not sslv2? Thanks in advance. Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail