Ivan Kalik wrote:
Please don't mess with configuration. Default one works. Your problem was with the user certificate.
http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/...
On page 52 you have a picture of the Details tab list with Enhanced Key
Usage filed containing client OID. Does your client certificate have
that field and that value? Hi Ivan! you can view screenshots of the certificate here: - CA Certificate that i imported on XP with DER format: http://img357.imageshack.us/img357/2264/cacertificate1wj4.jpg - Client Certificate with p12 format: http://img164.imageshack.us/img164/2894/certifclient1kf1.jpg http://img164.imageshack.us/img164/7527/certifclient2rv3.jpg sorry for the delay, i was in a trip! I am still blocked on "Identity validation when i try to use eap-tls" attached files contain snapshot of my CA certificate (cacert.der) and my client certificate (joel_certs.p12) olus the command lines applied to obtain them. Please let me know if they are corrects, like i suppose it to be! here is my eap-tls configuration: #################################################################### Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/CA/other_keys/servradiuskey.pem" certificate_file = "/etc/raddb/certs/CA/certs/serverradiuscert.pem" CA_file = "/etc/raddb/certs/CA/cacert.pem" private_key_password = "wireless" dh_file = "/etc/raddb/certs/CA/dh" random_file = "/etc/raddb/certs/CA/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ############################################################### My scripts: ###################################################################### # Creating a new self-signed CA certificate ###################################################################### cakey.key cacert.pem: openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config ./ca.cnf # DER Forma of rhe CA certificate, that i imported on windows XP ca.der: ca.pem (DER format) openssl x509 -inform PEM -outform DER -in cac.pem -out ca.der ###################################################################### # Creating a certificate request for Server ###################################################################### openssl req -newkey rsa:1024 -keyout /etc/raddb/certs/CA/other_keys/servradiuskey.pem -out /etc/raddb/certs/CA/req/servradius_cert.req ###################################################################### # Signing the Server certificate with the correctextension ###################################################################### openssl ca -out /etc/raddb/certs/CA/certs/serverradiuscert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/certs/CA/req/servradius_cert.req ###################################################################### # Creating a certificate request for Client ###################################################################### openssl req -new -nodes -keyout /etc/raddb/certs/CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/req/joel_cert.req ###################################################################### # Signing the Client certificate with the correctextension ###################################################################### openssl ca -out /etc/raddb/certs/CA/certs/joel_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/certs/CA/req/joel_cert.req ###################################################################### # Converting the Client certificate in p12 file ###################################################################### openssl pkcs12 -export -in CA/certs/joel_cert.pem -inkey CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/certs/joel_certs.p12 -clcerts ###################################################################### ** lemme know if i did something wrong creating my certificate please** That is all i did. Thank you =================================================================================== ====================================================================================================================================================================== Please don't mess with configuration. Default one works. Your problem was with the user certificate. http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/... On page 52 you have a picture of the Details tab list with Enhanced Key Usage filed containing client OID. Does your client certificate have that field and that value? Ivan Kalik Kalik Informatika ISP Dana 7/5/2008, "Joel MBA OYONE" <mba_oyone@yahoo.fr> piše:
Ok,
i think i really missed something! that config should take less than 15 minutes but i can't solve my problem for more than a week.
Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS config please. i would like to give you a full access to my network and my terminal too, so the diagnostic should be very very easy for you! is it possible?
MBA OYONE JoÍl Lot. El Firdaous Bât GH20, Porte A 204, Appt 8 20000 Oulfa Casablanca - Maroc
TĂŠl. : +212 69 25 85 70
----- Message d'origine ---- De : Alan DeKok <aland@deployingradius.com> � : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> EnvoyÊ le : Lundi, 5 Mai 2008, 17h18mn 10s Objet : Re: Re : howto EAP-TLS on freeradius 2.0.2-3 ??
Joel MBA OYONE wrote: ...
The VLAN attributes defined in RFC3580 are as follows: � Tunnel-Type=VLAN (13) � Tunnel-Medium-Type=802 � Tunnel-Private-Group-ID=VLANID
NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, which is why client entries use 6 for the Tunnel-Medium-Type value.
No. For Tunnel-Medium-Type, "802" is a *name*, not a *number*. See Section 3.2 of RFC 2868:
... Value The Value field is three octets and contains one of the values listed under "Address Family Numbers" in [14]. For the sake of convenience, a relevant excerpt of this list is reproduced below.
1 IPv4 (IP version 4) 2 IPv6 (IP version 6) 3 NSAP 4 HDLC (8-bit multidrop) 5 BBN 1822 6 802 (includes all 802 media plus Ethernet "canonical format") ...
FreeRADIUS gets it *right*. Many NAS vendors get it *wrong*.
To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the etc/raddb/users file, which contains the user account information, and add for the new user. The following example shows the entry for a user in the users file. The username is �johndoe,� the password is �test1234.� The user is assigned to VLAN 77.
johndoe Auth-Type: = EAP, User-Password == �test1234" Tunnel-Type = 13, Tunnel-Medium-Type = 6,
Or: Tunnel-Medium-Type = IEEE-802 ....
in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management and sometime i receive the right ip adresss in the right IP Pool. ut lost it immediately, maybe cause of the repeating cycle of athentication sequence.
AND, the client certificate, signed by the Server (not the CA root) is still with the same message.
hope it would be helpfull !!
Arg. Microsoft keeps putting magic nonsense into their OS's to make it difficult to use non-Microsoft RADIUS servers.
And yes, this *is* a problem even inside of Microsoft! So if you're finding it a PITA to get it working, rest assured that Microsoft does, too.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicitĂŠs http://mail.yahoo.fr Yahoo! Mail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail -----La pièce jointe correspondante suit----- ###################################################################### # # Create a new self-signed CA certificate # ###################################################################### cakey.key cacert.pem: openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config ./ca.cnf ca.der: ca.pem openssl x509 -inform PEM -outform DER -in cac.pem -out ca.der ###################################################################### # requete de cerificat server openssl req -newkey rsa:1024 -keyout /etc/raddb/certs/CA/other_keys/servradiuskey.pem -out /etc/raddb/certs/CA/req/servradius_cert.req # Signature du certificat server openssl ca -out /etc/raddb/certs/CA/certs/serverradiuscert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/certs/CA/req/servradius_cert.req =================================================================================== ====================================================================================================================================================================== # requete de cerificat client openssl req -new -nodes -keyout /etc/raddb/certs/CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/req/joel_cert.req # Signature du certificat client openssl ca -out /etc/raddb/certs/CA/certs/joel_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/certs/CA/req/joel_cert.req # conversion du certificat client au format pkcs12 openssl pkcs12 -export -in CA/certs/joel_cert.pem -inkey CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/certs/joel_certs.p12 -clcerts __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail