Hello

I have followed the procedures to create EAP certificates in etc/raddb/certs but when i copy the ca.der and client.P12 my windows XP cannot seem to authenticate to the radisu Server.

I can se a small baloon appearing on xp stating failed to authenticate on palstaff.


My Proxim AP reports Radius Server Error but i have already set the Radius Server IP address in the Proxim AP.
 
I have also updated my make file as below to allow XP clients to authenticate



######################################################################
#
#  Create a new client certificate, signed by the the above server
#  certificate.
#
######################################################################
client.csr client.key: client.cnf
        openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

client.crt: client.csr ca.pem ca.key index.txt serial
        openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

client.p12: client.crt
        openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

client.pem: client.p12
        openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
        cp client.pem $(USER_NAME).pem

.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
        c_rehash .
        openssl verify -CApath . client.pem



$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*

and redo the certificates.


Please need help on this



Regards

Devinder


2010/1/20 Devinder Singh <devinbhullar@gmail.com>
After i had restarted my XP

i get to see Windows was unable to log you on to palstaff.


palstaff is my sssid


Devinder


2010/1/20 Devinder Singh <devinbhullar@gmail.com>
When i click on my SSID i get authentication failed. The Proxim AP reports Radius not connected and i dont get to see any reply on Radius Server



2010/1/20 Devinder Singh <devinbhullar@gmail.com>
######################################################################
#
#  Create a new client certificate, signed by the the above server
#  certificate.
#
######################################################################
client.csr client.key: client.cnf
        openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

client.crt: client.csr ca.pem ca.key index.txt serial
        openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

client.p12: client.crt
        openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

client.pem: client.p12
        openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
        cp client.pem $(USER_NAME).pem

.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
        c_rehash .
        openssl verify -CApath . client.pem



2010/1/20 Devinder Singh <devinbhullar@gmail.com>
Hi Ivan,

I cant seem to authenticate my Windows XP client using EAP authentication. I have folllowed the steps in /etc/raddb/certs

This is my radius start up
Module: Instantiating eap-tls                                                           
   tls {                                                                                 
        rsa_key_exchange = no                                                            
        dh_key_exchange = yes                                                            
        rsa_key_length = 512                                                             
        dh_key_length = 512                                                              
        verify_depth = 0                                                                 
        pem_file_type = yes                                                              
        private_key_file = "/etc/raddb/certs/server.pem"                                 
        certificate_file = "/etc/raddb/certs/server.pem"                                 
        CA_file = "/etc/raddb/certs/ca.pem"                                              
        private_key_password = "myettelap"                                               
        dh_file = "/etc/raddb/certs/dh"                                                  
        random_file = "/etc/raddb/certs/random"                                          
        fragment_size = 1024                                                             
        include_length = yes                                                             
        check_crl = no                                                                   
        cipher_list = "DEFAULT"                                                          
        make_cert_command = "/etc/raddb/certs/bootstrap"                                 
    cache {                                                                              
        enable = no                                                                      
        lifetime = 24                                                                    
        max_entries = 255                                                                
    }                                                                                    
   }                                                                                     
 Module: Linked to sub-module rlm_eap_ttls                                               
 Module: Instantiating eap-ttls                                                          
   ttls {                                                                                
        default_eap_type = "md5"                                                         
        copy_request_to_tunnel = no                                                      
        use_tunneled_reply = no                                                          
        virtual_server = "inner-tunnel"                                                  
   }                                                                                     
 Module: Linked to sub-module rlm_eap_peap                                               
 Module: Instantiating eap-peap                                                          
   peap {                                                                                
        default_eap_type = "mschapv2"                                                    
        copy_request_to_tunnel = no                                                      
        use_tunneled_reply = no                                                          
        proxy_tunneled_request_as_eap = yes                                              
        virtual_server = "inner-tunnel"                                                  
   }                                                                                     
 Module: Linked to sub-module rlm_eap_mschapv2                                           
 Module: Instantiating eap-mschapv2                                                      
   mschapv2 {                                                                            
        with_ntdomain_hack = no                                                          
   }                                                                                     
 Module: Checking authorize {...} for more modules to load                               
 Module: Linked to module rlm_realm                                                      
 Module: Instantiating suffix                                                            
  realm suffix {                                                                         
        format = "suffix"                                                                
        delimiter = "@"                                                                  
        ignore_default = no                                                              
        ignore_null = no                                                                 
  }                                                                                      
 Module: Linked to module rlm_files                                                      
 Module: Instantiating files                                                             
  files {                                                                                
        usersfile = "/etc/raddb/users"                                                   
        acctusersfile = "/etc/raddb/acct_users"                                          
        preproxy_usersfile = "/etc/raddb/preproxy_users"                                 
        compat = "no"                                                                    
  }                                                                                      
 Module: Checking session {...} for more modules to load                                 
 Module: Linked to module rlm_radutmp                                                    
 Module: Instantiating radutmp                                                           
  radutmp {                                                                              
        filename = "/var/log/radius/radutmp"                                             
        username = "%{User-Name}"                                                        
        case_sensitive = yes                                                             
        check_with_nas = yes                                                             
        perm = 384                                                                       
        callerid = yes                                                                   
  }                                                                                      
 Module: Checking post-proxy {...} for more modules to load                              
 Module: Checking post-auth {...} for more modules to load                               
 Module: Linked to module rlm_attr_filter                                                
 Module: Instantiating attr_filter.access_reject                                         
  attr_filter attr_filter.access_reject {                                                
        attrsfile = "/etc/raddb/attrs.access_reject"                                     
        key = "%{User-Name}"                                                             
  }                                                                                      
 }                                                                                       
}                                                                                        
 modules {                                                                               
 Module: Checking authenticate {...} for more modules to load                            
 Module: Checking authorize {...} for more modules to load                               
 Module: Linked to module rlm_preprocess                                                 
 Module: Instantiating preprocess                                                        
  preprocess {                                                                           
        huntgroups = "/etc/raddb/huntgroups"                                             
        hints = "/etc/raddb/hints"                                                       
        with_ascend_hack = no                                                            
        ascend_channels_per_line = 23                                                    
        with_ntdomain_hack = no                                                          
        with_specialix_jetstream_hack = no                                               
        with_cisco_vsa_hack = no                                                         
        with_alvarion_vsa_hack = no                                                      
  }                                                                                      
 Module: Checking preacct {...} for more modules to load                                 
 Module: Linked to module rlm_acct_unique                                                
 Module: Instantiating acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
        detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
        attrsfile = "/etc/raddb/attrs.accounting_response"
        key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
^[[6~^[[6~


2010/1/20 Devinder Singh <devinbhullar@gmail.com>

Hi Ivan,
 
I created the certificates basd on the README file in etc/raddb and copied ca.der and client.p12 to Windows XP
 
I also also made changed to the Makefile which runs on XP but when i connect to the SSID i get authentication failde and the radius does not seem to get any response from the Proxim AP.
 


--
Devinder



--
Devinder



--
Devinder



--
Devinder



--
Devinder



--
Devinder