Ok, the hole day i tried to get it to work but this time when i install the certificate as a machine zertifikate the radius authentifikation log ends up with this log below. The Certificates where generated with openssl and all works fine as User certificates but not as computer zertificate. I set the Registry Patch which was diescribed in the mailing list to a value of 2. If anyone konws why this doesnt work please mail me. rad_recv: Access-Request packet from host 10.40.0.254:1024, id=125, length=120 NAS-IP-Address = 10.40.0.254 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0x75b32a36b118137416c352ac114ec00c NAS-Port = 8 Framed-MTU = 1490 User-Name = "host/Client5" Calling-Station-Id = "00-10-5A-F7-F0-BA" EAP-Message = 0x02ff001101686f73742f436c69656e7435 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "host/Client5", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 255 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 181 users: Matched entry DEFAULT at line 200 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 125 to 10.40.0.254:1024 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010000060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3409168c713d79e19e09bf2f2ab092c9 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 125 with timestamp 430c8459 Nothing to do. Sleeping until we see a request. FreeRadius users mailing list <freeradius-users@lists.freeradius.org> schrieb am 24.08.05 09:52:57: At 12:49 23/08/05, you wrote:
Hi, thanks for your email!
Ok, i tried it out but i have some problems. If i use the DWORT String you sent me it has no efekkt. I found an other DWORT Key which Sounds "AuthMode" and with this DWORT he only tries to authentificate with the machine account. Maybe you have made a typing mistake in your email??
Whoops - You are right it was a typing mistake, it is AuthMode.
Ok, but my problem ist, that when he tries to authentificate with the Computer Account i see in the radius debugging modse that he only tried to use the default entry in the user File and not the "Client3" Entry. It seems that he does not find the right Computer Certificate or the Freeradius does not find the Right Entry in his user File???
I am new to freeRADIUS myself in order to get my system working I followed the instructions in these web pages, http://www.linuxjournal.com/article/8017, http://www.linuxjournal.com/article/8095, http://www.linuxjournal.com/article/8151. It does look like a certificates problem, but then I am very new to FreeRADIUS and I spent a considerable amount of time adjusting settings to make it work.
This is the output from Freeradius -X -A when the DWORT "AuthMode" is set to 2
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file! : /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/! run/freeradius/freeradius.pid" main: user = "freerad" &nbs p;main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library ! search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" ! ;unix: shadow = "/etc/shadow" unix: group = "(null)" ;unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/ssl/certs/8021x-server.pem" tls: certificate_file = "/etc/ssl/certs/8021x-server.pem" tls: CA_file = "/etc/ssl/certs/root.pem" tls: private_key_pa! ssword = "whatever" tls: dh_file = "/etc/ssl/certs/dh" tls: random_file = "/etc/ssl/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix ) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: ca! llerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 10.40.0.254:1024, id=103, length=120 NAS-IP-Address = 10.40.0.254 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0x8e013b02cf39c8b291f8a9d790f3bd6a NAS-Port = 8 Framed-MTU = 1490 User-Name = "host/Client3" Calling-Station-Id = "00-10-5A-F7-F0-BA" EAP-Message = 0x02ff001101686f73742f436c69656e7433 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 &nbs! p; rlm_realm: No <mailto:'@'>'@' in User-Name = "host/Cli ent3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 255 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 181 users: Matched entry DEFAULT at line 200 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: ! Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 103 to 10.40.0.254:1024 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010000060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1814a65439afaa74487aa379af48ead9 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 103 with timestamp 430b0c7e Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.40.0.254:1024, id=104, length=120 NAS-IP-Address = 10.40.0.254 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0xe3868d2! de84c592e7e54eb355b23752f NAS-Port = 8 Framed-MTU = 1490 User-Name = "host/Client3" Calling-Station-Id = "00-10-5A-F7-F0-BA" EAP-Message = 0x0201001101686f73742f436c69656e7433 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No <mailto:'@'>'@' in User-Name = "host/Client3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at li! ne 181 users: Matched entry DEFAULT at line 200 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1
Fallibroome High School Priory Lane Macclesfield Cheshire SK10 4AF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html