Ok, before radiusd -X lets see the scenario and config files: step 1: - the network use wireless grid technologie, all the AP are managed by one switch controler (dws-3024 - d-link) - the AP should be authenticated by the RADIUS Server before they could be authorised to be managed by the switch controler. so this step, the dws-3024 is the Authenticator and the AP (dwl-8500AP+) is the supplicant. at this stage, you adviced me to fix "Auth-Type := Accept" to the AP attribute in the user file, so everything is OK. step 2: the AP become the Authenticator cause it transmit the Authentication requests to the Radius Server (so it possesses an entry in client.conf) and the supplicant here is rhe wireless client. dws-3024 documentation give a sample for wireless client as follow: ======================================================= If you use an external RADIUS server to manage VLANs, you configure the server to use Tunnel attributes in Access-Accept messages in order to inform the access point about the selected VLAN. These attributes are defined in RFC 2868 and their use for dynamic VLAN is specified in RFC 3580. The VLAN attributes defined in RFC3580 are as follows: • Tunnel-Type=VLAN (13) • Tunnel-Medium-Type=802 • Tunnel-Private-Group-ID=VLANID NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, which is why client entries use 6 for the Tunnel-Medium-Type value. To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the etc/raddb/users file, which contains the user account information, and add for the new user. The following example shows the entry for a user in the users file. The username is “johndoe,” the password is “test1234.” The user is assigned to VLAN 77. johndoe Auth-Type: = EAP, User-Password == “test1234" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 77 Tunnel-Type and Tunnel-Medium-Type use the same values for all stations. Tunnel-Private- Group-ID is the selected VLAN ID and can be different for each user. NOTE: Do not use the management VLAN ID of the AP for the value of the Tunnel- Private-Group-ID. ====================================================== so i create my certificates according to certs/README and the commonname for client is "mojo". here is the log of Radiusd - X in an attemting connexion by the wireless clienst: (Wireless security is WEP 802.1x and VLANID = 2) ============================================================ ============================================================ ============================================================ radius:~ # radiusd -X FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Mar 18 2008 at 19:47:59 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" user = "radiusd" group = "radiusd" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client dws3024 { ipaddr = 192.168.0.254 require_message_authenticator = yes secret = "wireless" nastype = "D-Link" } client Access_Point_DWL-8500AP+ { ipaddr = 192.168.2.0 netmask = 24 require_message_authenticator = yes secret = "wireless" nastype = "D-Link" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.key" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "wireless" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ rad_recv: Access-Request packet from host 192.168.0.254 port 49153, id=1, length=79 User-Name = "00-1c-f0-07-d6-90\000" NAS-Identifier = "00-17-9A-95-0C-18" Message-Authenticator = 0x65f1cca415ab9d0413903188af185f25 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "00-1c-f0-07-d6-90", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry 00-1c-f0-07-d6-90 at line 52 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [00-1c-f0-07-d6-90\000/<via Auth-Type = Accept>] (from client dws3024 port 0) Sending Access-Accept of id 1 to 192.168.0.254 port 49153 D-Link-Wireless-AP-Mode = WS-Managed D-Link-Wireless-AP-Location = "Bureau de Joel" D-Link-Wireless-AP-Profile-ID = 1 D-Link-Wireless-AP-Switch-IP = 192.168.10.254 D-Link-Wireless-AP-Radio-1-Chan = Auto D-Link-Wireless-AP-Radio-2-Chan = Auto D-Link-Wireless-AP-Radio-1-Power = Auto D-Link-Wireless-AP-Radio-2-Power = Auto Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 3.9 seconds. Cleaning up request 0 ID 1 with timestamp +81 Ready to process requests. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ USING "Auth-Type := Accept mojo Auth-Type := Accept, User-Password == "wireless" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 2, Reply-Message = "client account stuffs." ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ############## AUTHENTIFICATION REQUEST FROM THE SUPPLICANT (Wireless client) ######## rad_recv: Access-Request packet from host 192.168.2.4 port 1026, id=0, length=162 User-Name = "mojo" NAS-IP-Address = 192.168.2.4 NAS-Port = 1 Called-Station-Id = "00-1C-F0-07-D6-99:pedagogie_wpa2_entr." Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000009016d6f6a6f Message-Authenticator = 0xa57b6ebbe376d1eaed8cecc7e397aefa +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "mojo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. users: Matched entry mojo at line 85 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [mojo/<via Auth-Type = Accept>] (from client Access_Point_DWL-8500AP+ port 1 cli 00-12-F0-0C-97-61) Sending Access-Accept of id 0 to 192.168.2.4 port 1026 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Reply-Message = "client account stuffs." Finished request 1. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. rad_recv: Access-Request packet from host 192.168.2.4 port 1026, id=0, length=162 Sending duplicate reply to client Access_Point_DWL-8500AP+ port 1026 - ID: 0 Sending Access-Accept of id 0 to 192.168.2.4 port 1026 Waking up in 1.9 seconds. Cleaning up request 1 ID 0 with timestamp +98 Ready to process requests. #######CONNECTED, NO @IP AND IT RESTART FOR ANOTHER TURN, NEVER STOPPING ####### ============================================================ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ WITHOUT USING "Auth-Type := Accept ( ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ USING "Auth-Type := Accept mojo Auth-Type := Accept, User-Password == "wireless" Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 2, Reply-Message = "client account stuffs." ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ rad_recv: Access-Request packet from host 192.168.2.4 port 1024, id=8, length=155 User-Name = "mojo" NAS-IP-Address = 192.168.2.4 NAS-Port = 2 Called-Station-Id = "00-1C-F0-07-D6-98:Guest Network" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000009016d6f6a6f Message-Authenticator = 0x349aea9694c93a503c14b5c10c73d45b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "mojo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. users: Matched entry mojo at line 85 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.2.4 port 1024 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Reply-Message = "client account stuffs." EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x83d6e38e83d7ee899c87131befee6bdc Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.2.4 port 1024, id=1, length=155 User-Name = "mojo" NAS-IP-Address = 192.168.2.4 NAS-Port = 2 Called-Station-Id = "00-1C-F0-07-D6-98:Guest Network" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000009016d6f6a6f Message-Authenticator = 0x2b53afbbb4b2229f0d5bfa9fa7a53167 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "mojo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. users: Matched entry mojo at line 85 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.4 port 1024 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Reply-Message = "client account stuffs." EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e10926a5e119fe515a2972f16e32f58 Finished request 1. Going to the next request Waking up in 0.9 seconds. Waking up in 3.9 seconds. Cleaning up request 0 ID 8 with timestamp +6 Cleaning up request 1 ID 1 with timestamp +6 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.4 port 1024, id=8, length=155 User-Name = "mojo" NAS-IP-Address = 192.168.2.4 NAS-Port = 2 Called-Station-Id = "00-1C-F0-07-D6-98:Guest Network" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000009016d6f6a6f Message-Authenticator = 0x349aea9694c93a503c14b5c10c73d45b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "mojo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. users: Matched entry mojo at line 85 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.2.4 port 1024 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Reply-Message = "client account stuffs." EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcff784ddcff689f72fa303f8f4fab41c Finished request 2. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.2.4 port 1024, id=3, length=155 User-Name = "mojo" ============================================================ ============================================================ in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management and sometime i receive the right ip adresss in the right IP Pool. ut lost it immediately, maybe cause of the repeating cycle of athentication sequence. AND, the client certificate, signed by the Server (not the CA root) is still with the same message. hope it would be helpfull !! thank you for your time MBA OYONE Joël Lot. El Firdaous Bât GH20, Porte A 204, Appt 8 20000 Oulfa Casablanca - Maroc Tél. : +212 69 25 85 70 ----- Message d'origine ---- De : Ivan Kalik <tnt@kalik.net> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Envoyé le : Lundi, 5 Mai 2008, 10h42mn 29s Objet : Re: howto EAP-TLS on freeradius 2.0.2-3 ??
- ca.der ---- no prob, known as an CA in windows - server.p12 ---no prob, certicate is valid - client.p12 --- !!! windows said something like that (excuse my english translation, but i think you'll get the message):
--CA ---Server -------clients:
---Information about the certificate: --- ****this certificate is not valide cause one of the certificate authority in the certificate path seems not to be allow to deliver certificate, or this certificate can not be use as end-user certificate ***** (see attached file)
http://technet.microsoft.com/en-us/library/bb331963(EXCHG.80).aspx It looks like the certificate doesn't have the OIDs needed. They should be present in certificate details (Details tab). Post radiusd -X to see what happens. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail