---Guy

Sent from my iPad

On 12 Mar 2011, at 20:06, Usuário do Sistema <maiconlp@ig.com.br> wrote:

Hello, I'm new at the Freeradius and I'm deploying it with EAP-TLS to authenticate my Wireless users which will be authenticated against a OpenLDAP base.
 
 
I'm using freeradius2 and when I make a test from other linux machine with command "radtest joao.vero jango123 128.2.100.131 2 meleca" it's working as follow out
 
Sending Access-Request of id 45 to 128.2.100.131 port 1645
        User-Name = "joao.vero"
        User-Password = "jango123"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 2
rad_recv: Access-Accept packet from host 128.2.100.131:1645, id=45, length=20
 
But, when I'm going  to authenticate wireless users from Win7 ( with EAP-TLS, I'm using the test certificate from /etc/raddb/certs/..) It isn't working. it's appear in log:
 
TLS Alert read:fatal:unknown CA
    TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
 
What I did until at the moment in ralation EAP-TLS:
 
I've configured the eap.conf file to read the certificates from /etc/raddb/certs/...
I've create the user certificate ( as shows README in /etc/raddb/certs )
I've copied and installed two certificates to user machine: cliente.p12 and ca.der. the first as personal and the last as Trusted Root Certification Authorities
 
I wish to use LDAP for authenticate my users but seems that User-Password must be Clear text. there is possible reach EAP-TLS with LDAP??
 
What I have do ??
 
any help is welcome
 
Thank!
 
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

You have an issue with the cert, the cert the client is sending back is not recognised by free radius..

As for authenticating you can do this without clear text but you'll need to use NT-LM. With which you use samba to create NTSambaPassword in the LDAP database which it can auth with.

You will likely have to extend the schema for your LDAP server.. Though that's quite well documented for adding in Samba support.

Thanks 

--Guy