Stefan Puch wrote:
@Alan DeKok
I'll bet that if you posted the final Access-Accept from 1.1.7 and from 2.0.1, that they would be *different*. If you make them the same, I'll also bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the "default"-file, which setting were included in radiusd.conf in previous version of freeradius
Stop fighting with the certificates. You're wasting your time, and confusing yourself. Start looking at the contents of the Access-Accept, which is the only thing that really matters.
With that hint I was able to get Windows and Linux Laptops working again using EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA connecting using EAP-PEAP. For using EAP-TLS with the Windows Mobile devices I still have to solve one problem, which I think would be no problem for you, the problem with the username of the devices.
If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a working configuration, but finally it should work also with that Option enabled. The problem of the Windows Mobile devices is, that they always submit as username "DOMAIN\user". If you leave the DOMAINNAME blank still "\user" is used. Since the radiusd.conf hints say, that I should NOT use the option "with_ntdomain_hack" (and when I tested it still didn't work for me) I wanted to use the "Realm module". But at the moment I didn't fully understand how realms work, although I did read the Posting on this mailinglist (from 2004) and the manpage.
I Know that I will have to use the realm module
You dont... your using 2.01 ? Write a regular expression to strip off the proceeding \ Heres one I did earlier.... If I remember correctly it's \\\\ to escape to one \ in the username ... \\ To escape it in the RegExp string, \\ to make \ literal in the regular expression... authorize { # USERNAME FORMATTING # User-Name Formatting, extracts Realm, User. Ignores NT domain # This will accept # * user # * user@domain # * ntdomain\\user # * ntdomain\\user@domain if("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) { update request { Stripped-User-Name = "%{1}" } } ... } You then use: check_cert_cn = %{Stripped-User-Name}
PS: When I've got a working configuration for the Windows Mobile devices, I'm going to write a little HOWTO like the one "EAP/TLS Setup for FreeRADIUS and Windows XP Supplicant" just for Mobile PDA's
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900