question about windows users
Hi, I have freeradius with eap support on debian etch, radius v1.1.3 "everthing" working fine but I'd like to have much more simple configuration only by certificate and nothing more, so I have few question: 1. fragment of my log first, before question Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 my users file contain: "PC-01\\Administrator" User-Password == "passwd" how can I avoid this value PC-01 ?, its really annoying, I would like to have only real user, PC-01 is "my computer -> properties -> computer name -> full computer name". I would like to have only username (with no matter of case sensitive). sth like "administrator" User-Password == "passwd" 2. I would like to use only certificate to check wheter or not some computer should have network connection, I dont care about login or password, if client has a valid cacert.pem installed on pc (windows xp) it should grant acces to network, is it possible to do that? I tried do sth like: users: DEFAULT Auth-Type := Accept but it didn't work the perfect way for me is possiblity to set up something in radiusd.conf and live file users empty 3. when I read log from freeradius -X I see that one pc need to have 7requests in freeradius and in 8-th request is accepted, is it ok? modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 193 to 192.168.5.206 port 1812 MS-MPPE-Recv-Key = 0xc349694508a365a56e56e085069e36270cb13b60c3cc7847129b2386a7062dde MS-MPPE-Send-Key = 0xf93f6de4f455056df7f1d88aa3d12a26cd1a71994fdf6c31bb726612eaf2f038 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "PC-01\\Administrator" Finished request 8 ----------------------------------------------- my configuration files: eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_file = /etc/freeradius/eap/newkey.pem certificate_file = /etc/freeradius/eap/newcert.pem CA_file = /etc/freeradius/eap/eapCA/cacert.pem dh_file = /etc/freeradius/eap/dh random_file = /etc/freeradius/eap/random fragment_size = 1024 include_length = yes check_crl = no } peap { default_eap_type = mschapv2 } mschapv2 { } } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap }
I have freeradius with eap support on debian etch, radius v1.1.3
2.0.4 should be available for Debian. Upgrade. Vista doesn't work with 1.1.3. And you will have problems with XP SP3.
"everthing" working fine but I'd like to have much more simple configuration only by certificate and nothing more, so I have few question:
1. fragment of my log first, before question Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0
my users file contain: "PC-01\\Administrator" User-Password == "passwd"
how can I avoid this value PC-01 ?, its really annoying, I would like to have only real user, PC-01 is "my computer -> properties -> computer name -> full computer name". I would like to have only username (with no matter of case sensitive).
1. Don't use windows logon name. Untick that when you are making the connection. 2. You can't strip username in EAP. Use ntdomain. It's listed but commented out in default configuration.
sth like "administrator" User-Password == "passwd"
For that to work add domain bit as local realm to proxy.conf.
2. I would like to use only certificate to check wheter or not some computer should have network connection, I dont care about login or password, if client has a valid cacert.pem installed on pc (windows xp) it should grant acces to network, is it possible to do that?
Use EAP-TLS to connect (Smart card or certificate in Windows speak).
3. when I read log from freeradius -X I see that one pc need to have 7requests in freeradius and in 8-th request is accepted, is it ok?
Yes. Ivan Kalik Kalik Informatika ISP
2.0.4 should be available for Debian. I know, 2.0.4 freeradius is available for debian lenny but not etch unfortunately.
2. Use EAP-TLS to connect (Smart card or certificate in Windows speak). Could you write me where in config put that? I tried described below but it doesnt work eap.conf: eap { default_eap_type = tls .... } and I set up on xp: local connection->properites->authentication->smart card or certificate, and I chose my cacert.pem
how to configure it that way? thank you for rapid answer. Bartosz. On Thu, May 14, 2009 at 12:54 PM, Ivan Kalik <tnt@kalik.net> wrote:
I have freeradius with eap support on debian etch, radius v1.1.3
2.0.4 should be available for Debian. Upgrade. Vista doesn't work with 1.1.3. And you will have problems with XP SP3.
"everthing" working fine but I'd like to have much more simple configuration only by certificate and nothing more, so I have few question:
1. fragment of my log first, before question Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0
my users file contain: "PC-01\\Administrator" User-Password == "passwd"
how can I avoid this value PC-01 ?, its really annoying, I would like to have only real user, PC-01 is "my computer -> properties -> computer name -> full computer name". I would like to have only username (with no matter of case sensitive).
1. Don't use windows logon name. Untick that when you are making the connection.
2. You can't strip username in EAP. Use ntdomain. It's listed but commented out in default configuration.
sth like "administrator" User-Password == "passwd"
For that to work add domain bit as local realm to proxy.conf.
2. I would like to use only certificate to check wheter or not some computer should have network connection, I dont care about login or password, if client has a valid cacert.pem installed on pc (windows xp) it should grant acces to network, is it possible to do that?
Use EAP-TLS to connect (Smart card or certificate in Windows speak).
3. when I read log from freeradius -X I see that one pc need to have 7requests in freeradius and in 8-th request is accepted, is it ok?
Yes.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.4 should be available for Debian. I know, 2.0.4 freeradius is available for debian lenny but not etch unfortunately.
http://packages.debian.org/search?keywords=freeradius
2. Use EAP-TLS to connect (Smart card or certificate in Windows speak). Could you write me where in config put that?
There is nothing to configure on the server - it works in default configuration with default ca and server certificates and clients certificates made following instructions in raddb/certs/README (2.0.4 - on 1.1.3 you have to generate certificates yourself).
I tried described below but it doesnt work
What "doesn't work"? Post the debug.
and I set up on xp: local connection->properites->authentication->smart card or certificate, and I chose my cacert.pem
You should import .der version for Windows. And .p12 for client certificate. Ivan Kalik Kalik Informatika ISP
What "doesn't work"? Post the debug. server: I dont change in my config file, is the same like in first message,
client (win xp): I have local connection->authentication->method->eap(peap)->properties: validate server cert (marked checkbox), marked cacert.pem, secured password eap-mschapv2 - use my windows logon it work's properly, but only with correct user/pass in /etc/freeradius/users file now I change local connection->authentication->method->smart card or other certificate->properities: validate server cert (marked checkbox), marked cacert.pem, local connection->authentication->keep in memory inf about users for aditional network connection (unmarked checkbox - when marked nothing happend at all) debug Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 rlm_eap: Identity does not match User-Name, setting from EAP Identity. Sending Access-Reject of id 37 to 192.168.5.206 port 1812
I am sorry, I gave you wrong debug, whatever is marked or unmarked on checkbox local connection->authentication->keep in memory information about users for aditional network connection server does not have any new lines in debug, like nothing happend at all. On Thu, May 14, 2009 at 2:24 PM, Bartosz Chodzinski <bartosz.c@gmail.com>wrote:
What "doesn't work"? Post the debug. server: I dont change in my config file, is the same like in first message,
client (win xp): I have local connection->authentication->method->eap(peap)->properties: validate server cert (marked checkbox), marked cacert.pem, secured password eap-mschapv2 - use my windows logon
it work's properly, but only with correct user/pass in /etc/freeradius/users file
now I change local connection->authentication->method->smart card or other certificate->properities: validate server cert (marked checkbox), marked cacert.pem, local connection->authentication->keep in memory inf about users for aditional network connection (unmarked checkbox - when marked nothing happend at all)
debug
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 rlm_eap: Identity does not match User-Name, setting from EAP Identity. Sending Access-Reject of id 37 to 192.168.5.206 port 1812
I am sorry, I gave you wrong debug,
whatever is marked or unmarked on checkbox local connection->authentication->keep in memory information about users for aditional network connection server does not have any new lines in debug, like nothing happend at all.
It can't find client certificate. Check certificate store and see if certificate is where it is suposed to be.
ok full information: jpg with all setting on the not working client http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj I think it is properly, cause it work during eap (peap), am I wrong? Bartosz. On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik <tnt@kalik.net> wrote:
I am sorry, I gave you wrong debug,
whatever is marked or unmarked on checkbox local connection->authentication->keep in memory information about users for aditional network connection server does not have any new lines in debug, like nothing happend at all.
It can't find client certificate. Check certificate store and see if certificate is where it is suposed to be.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I know that date may be weird, but it doesnt matter debian-etch:~# date Sat May 14 15:46:10 CEST 2005 windows date may 2005, as well and switch as well, I forgot to check date when I created certificates, but afrer changing date in server and clietn it is not a problem Bartosz. On Thu, May 14, 2009 at 3:45 PM, Bartosz Chodzinski <bartosz.c@gmail.com>wrote:
ok full information: jpg with all setting on the not working client
http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj
I think it is properly, cause it work during eap (peap), am I wrong? Bartosz.
On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik <tnt@kalik.net> wrote:
I am sorry, I gave you wrong debug,
whatever is marked or unmarked on checkbox local connection->authentication->keep in memory information about users for aditional network connection server does not have any new lines in debug, like nothing happend at all.
It can't find client certificate. Check certificate store and see if certificate is where it is suposed to be.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I tryied yesterday many times using diferent options but it doesnt work, any idea what can be wrong? Bartosz. On Thu, May 14, 2009 at 3:45 PM, Bartosz Chodzinski <bartosz.c@gmail.com>wrote:
ok full information: jpg with all setting on the not working client
http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj
I think it is properly, cause it work during eap (peap), am I wrong? Bartosz.
On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik <tnt@kalik.net> wrote:
I am sorry, I gave you wrong debug,
whatever is marked or unmarked on checkbox local connection->authentication->keep in memory information about users for aditional network connection server does not have any new lines in debug, like nothing happend at all.
It can't find client certificate. Check certificate store and see if certificate is where it is suposed to be.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I tryied yesterday many times using diferent options but it doesnt work, any idea what can be wrong?
Looking at this:
you have put ca (ca_auth), not client certificate in the personal store. Ivan Kalik Kalik Informatika ISP
Thank you for answer. I put this to personal store, I think it is a client certificate, I gave a commonName ca_auth Certificate: Data: Version: 3 (0x2) Serial Number: 99:61:67:27:8b:7d:0a:b1 Signature Algorithm: sha1WithRSAEncryption Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailAddress=Email@Address.pl Validity Not Before: May 13 11:48:35 2004 GMT Not After : May 13 11:48:35 2007 GMT Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailAddress=Email@Address.pl Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d6:58:52:3c:76:b7:42:47:e8:8f:31:c8:d2:f8: 75:b6:cb:fd:29:d9:da:a2:26:1b:4a:de:c6:3a:dd: 23:b8:ab:59:64:ca:cc:63:33:b0:d6:75:4c:d5:66: 1d:eb:e6:68:b3:53:b6:61:41:ea:ed:40:a3:49:f8: 9b:45:15:d5:86:ef:fd:57:35:ae:af:72:e4:6d:95: 3a:d2:ef:6f:de:63:7c:5b:c4:a8:dd:9f:8a:9b:dc: 28:6c:18:3b:a6:b6:28:02:91:8c:53:6f:6a:55:db: c3:89:62:24:1c:ea:a4:1c:ff:16:8c:4b:00:e9:f1: ab:96:e1:d0:3a:10:38:41:ed Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 75:F4:EE:DC:BB:08:5C:11:B9:58:9D:64:11:EB:31:47:BF:23:AE:32 X509v3 Authority Key Identifier: keyid:75:F4:EE:DC:BB:08:5C:11:B9:58:9D:64:11:EB:31:47:BF:23:AE:32 DirName:/C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailAddress=Email@Address.pl serial:99:61:67:27:8B:7D:0A:B1 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 09:98:54:3d:c1:85:45:79:75:e5:c9:ed:ef:64:e2:8b:e1:5d: e6:90:4a:1e:1b:d1:83:3d:74:b3:81:39:a9:dc:cc:6c:3d:5e: 9f:6e:1c:06:6e:f6:52:40:4a:04:35:24:30:8c:73:eb:01:d6: cc:ff:7a:59:2b:72:75:7c:ed:3e:56:86:8a:db:02:66:28:06: fa:38:3b:2c:b4:e8:1f:28:22:28:07:06:48:71:59:56:39:ea: 30:05:7f:41:cb:a7:76:0c:4a:11:4f:0e:21:4e:4d:67:34:5e: 95:95:82:99:91:f1:af:af:b0:ad:d6:4c:79:90:96:f4:98:c7: 44:87 -----BEGIN CERTIFICATE----- MIIDSTCCArKgAwIBAgIJAJlhZyeLfQqxMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV BAYTAlBMMRUwEwYDVQQIEwxkb2xub3NsYXNraWUxDjAMBgNVBAoTBWZpcm1hMQ4w DAYDVQQLEwVmaXJtYTEQMA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqGSIb3DQEJARYQ RW1haWxAQWRkcmVzcy5wbDAeFw0wNDA1MTMxMTQ4MzVaFw0wNzA1MTMxMTQ4MzVa MHcxCzAJBgNVBAYTAlBMMRUwEwYDVQQIEwxkb2xub3NsYXNraWUxDjAMBgNVBAoT BWZpcm1hMQ4wDAYDVQQLEwVmaXJtYTEQMA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqG SIb3DQEJARYQRW1haWxAQWRkcmVzcy5wbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA1lhSPHa3QkfojzHI0vh1tsv9KdnaoiYbSt7GOt0juKtZZMrMYzOw1nVM 1WYd6+Zos1O2YUHq7UCjSfibRRXVhu/9VzWur3LkbZU60u9v3mN8W8So3Z+Km9wo bBg7prYoApGMU29qVdvDiWIkHOqkHP8WjEsA6fGrluHQOhA4Qe0CAwEAAaOB3DCB 2TAdBgNVHQ4EFgQUdfTu3LsIXBG5WJ1kEesxR78jrjIwgakGA1UdIwSBoTCBnoAU dfTu3LsIXBG5WJ1kEesxR78jrjKhe6R5MHcxCzAJBgNVBAYTAlBMMRUwEwYDVQQI Ewxkb2xub3NsYXNraWUxDjAMBgNVBAoTBWZpcm1hMQ4wDAYDVQQLEwVmaXJtYTEQ MA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqGSIb3DQEJARYQRW1haWxAQWRkcmVzcy5w bIIJAJlhZyeLfQqxMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACZhU PcGFRXl15cnt72Tii+Fd5pBKHhvRgz10s4E5qdzMbD1en24cBm72UkBKBDUkMIxz 6wHWzP96WStydXztPlaGitsCZigG+jg7LLToHygiKAcGSHFZVjnqMAV/QcundgxK EU8OIU5NZzRelZWCmZHxr6+wrdZMeZCW9JjHRIc= -----END CERTIFICATE----- am I correct or not? On Fri, May 15, 2009 at 12:55 PM, Ivan Kalik <tnt@kalik.net> wrote:
I tryied yesterday many times using diferent options but it doesnt work, any idea what can be wrong?
Looking at this:
you have put ca (ca_auth), not client certificate in the personal store.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for answer. I put this to personal store, I think it is a client certificate, I gave a commonName ca_auth
..
Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailAddress=Email@Address.pl
...
Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailAddress=Email@Address.pl
...
X509v3 Basic Constraints: CA:TRUE
No, that looks like a self signed root certificate to me. Ivan Kalik Kalik Informatika ISP
tls { private_key_file = /etc/freeradius/eap/newkey.pem certificate_file = /etc/freeradius/eap/newcert.pem CA_file = /etc/freeradius/eap/eapCA/cacert.pem dh_file = /etc/freeradius/eap/dh random_file = /etc/freeradius/eap/random fragment_size = 1024 include_length = yes check_crl = no } I tryied both: newcert.pem and/or cacert.pem but still no communicate on debug screen: (....) Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. windows client show: verification failed. I have to do sth wrong, but I dont have any idea what. On Fri, May 15, 2009 at 2:14 PM, Ivan Kalik <tnt@kalik.net> wrote:
Thank you for answer. I put this to personal store, I think it is a client certificate, I gave a commonName ca_auth
..
Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailAddress=Email@Address.pl
...
Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailAddress=Email@Address.pl
...
X509v3 Basic Constraints: CA:TRUE
No, that looks like a self signed root certificate to me.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tls { private_key_file = /etc/freeradius/eap/newkey.pem certificate_file = /etc/freeradius/eap/newcert.pem CA_file = /etc/freeradius/eap/eapCA/cacert.pem dh_file = /etc/freeradius/eap/dh random_file = /etc/freeradius/eap/random fragment_size = 1024 include_length = yes check_crl = no }
I tryied both: newcert.pem and/or cacert.pem but still no communicate on debug screen:
Neither of them are client certificates. newcert - server certificate cacert - ca certificate Ivan Kalik Kalik Informatika ISP
Thanks, I created certificate openssl req -new -keyout /etc/freeradius/eap/client_key.pem -out /etc/freeradius/eap/client_req.pem -days 730 -passin pass:password -passout pass:password openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out /etc/freeradius/eap/client_cert.pem -passin pass:password -key password -extensions xpclient_ext -extfile /etc/freeradius/eap/xpextensions -infiles /etc/freeradius/eap/client_req.pem And I put cliet_cert.pem to both certificate stores Trusted CA and Personal Are you sure that I should not change anything in my server config files Anyway it is still not working :(. Bartosz On Fri, May 15, 2009 at 2:38 PM, Ivan Kalik <tnt@kalik.net> wrote:
tls { private_key_file = /etc/freeradius/eap/newkey.pem certificate_file = /etc/freeradius/eap/newcert.pem CA_file = /etc/freeradius/eap/eapCA/cacert.pem dh_file = /etc/freeradius/eap/dh random_file = /etc/freeradius/eap/random fragment_size = 1024 include_length = yes check_crl = no }
I tryied both: newcert.pem and/or cacert.pem but still no communicate on debug screen:
Neither of them are client certificates.
newcert - server certificate cacert - ca certificate
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And I put cliet_cert.pem to both certificate stores Trusted CA and Personal
You should import .p12 version onto the client.
Are you sure that I should not change anything in my server config files
Any particular reason you are creating certificates yourself? Why aren't you using scripts from raddb/certs directiory? Follow instructions in raddb/certs/ README. Ivan Kalik Kalik Informatika ISP
thanks, /etc/freeradius/certs/README This directory contains a number of sample certificates for use by the rlm_eap_tls module. These certificates should be used ONLY for testing purposes. If you're not using EAP-TLS, EAP-TTLS, or EAP-PEAP, then you may delete this entire directory. If you are using one or more of those authentication protocols, then the certificates included here should be replaced with ones signed by a real Certificate Authority. not to many information in that case in README, so I did (of course you are right with p12): openssl pkcs12 -export -out cliet_cert.p12 -inkey client_key.pem -in client_cert.pem and something happend: ( I think key information is TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) but uncle google find as many diferent answers as peple having this problem) log freeradius -X: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "yes" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/eap/newkey.pem" tls: certificate_file = "/etc/freeradius/eap/newcert.pem" tls: CA_file = "/etc/freeradius/eap/eapCA/cacert.pem" tls: private_key_password = "windows" tls: dh_file = "/etc/freeradius/eap/dh" tls: random_file = "/etc/freeradius/eap/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=106, length=137 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001001636c69656e745f63657274 Message-Authenticator = 0x080bd3f4d25919886b96f969d2ae8eeb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 106 to 192.168.5.206 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3af5b38421ac6af91c4a0a447244ecd0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.206:1812, id=107, length=145 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3af5b38421ac6af91c4a0a447244ecd0 EAP-Message = 0x02010006030d Message-Authenticator = 0x2a999f5c3a37259efa6a052d616fba1a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 107 to 192.168.5.206 port 1812 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x159f00d591c08a25a614b86458f97af8 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.206:1812, id=108, length=219 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x159f00d591c08a25a614b86458f97af8 EAP-Message = 0x020200500d800000004616030100410100003d0301416cd867ebc2b0ed199457e08b70d0c546a79311ab7a7bca97aa500a9707ae9800001600040005000a0009006400 Message-Authenticator = 0xd46cb3d2145f27cf6aeec79c9e9ce79d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05ef], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0089], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 108 to 192.168.5.206 port 1812 EAP-Message = 0x0103040a0dc0000006d1160301004a020000460301416c8b253f830795b01f85bce293f96db3f996fa03bf0a71af5dedf9e6293b09209cee2596575c64b3481473ce8b EAP-Message = 0x40416464726573732e706c301e170d3034303531333132303735335a170d3035303531333132303735335a308184310b300906035504061302504c3115301306035504 EAP-Message = 0x45759cbeddff3459fa8ccee35dc481c8f6e6cf174513c108d649633a6caa0038a314e199755f39f9d101f1bb88c25871541dc116c77ffbc9c233acac6e065d777adeef EAP-Message = 0xecd9f6a7b38f00034d30820349308202b2a003020102020900996167278b7d0ab1300d06092a864886f70d01010505003077310b300906035504061302504c31153013 EAP-Message = 0x6d61310e300c060355040b13056669726d613110300e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9040a3706cc8c46b0e98f827fe1ad03a Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.206:1812, id=109, length=145 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x9040a3706cc8c46b0e98f827fe1ad03a EAP-Message = 0x020300060d00 Message-Authenticator = 0x56f3edff4074b4e7f3f31bf43ddab33c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 109 to 192.168.5.206 port 1812 EAP-Message = 0x010402db0d80000006d10603550403140763615f61757468311f301d06092a864886f70d0109011610456d61696c40416464726573732e706c30819f300d06092a8648 EAP-Message = 0x23ae323081a90603551d230481a130819e801475f4eedcbb085c11b9589d6411eb3147bf23ae32a17ba4793077310b300906035504061302504c311530130603550408 EAP-Message = 0x043524308c73eb01d6ccff7a592b72757ced3e56868adb02662806fa383b2cb4e81f28222807064871595639ea30057f41cba7760c4a114f0e214e4d67345e95958299 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3c8e25f0bd7437b0c00e3aa6da8a2200 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.206:1812, id=110, length=1151 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3c8e25f0bd7437b0c00e3aa6da8a2200 EAP-Message = 0x020403ee0d80000003e416030103b40b0002a40002a100029e3082029a30820203a003020102020900996167278b7d0ab4300d06092a864886f70d0101050500307731 EAP-Message = 0x6b69653110300e0603550407130757726f636c6177310e300c060355040a13056669726d61310e300c060355040b13056669726d61311430120603550403140b636c69 EAP-Message = 0xebd74539757ba335a9b237710203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101050500038181002103c5a49de9 EAP-Message = 0x6f1940d6fd963b73f10f783561d7f7f23bb5a07525c93b68780783caea502018bd47deea0cd994fc29dca0022a0a3e9d24cffa31625773b6f95572eea50c57dc3d298a Message-Authenticator = 0xadca91e74b84c7e3e853426e2450312b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 02a8], Certificate chain-depth=1, error=0 --> User-Name = client_cert --> BUF-Name = ca_auth --> subject = /C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailAddress=Email@Address.pl --> issuer = /C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailAddress=Email@Address.pl --> verify return:1 chain-depth=0, error=0 --> User-Name = client_cert --> BUF-Name = client_cert --> subject = /C=PL/ST=dolnoslaskie/L=Wroclaw/O=firma/OU=firma/CN=client_cert/emailAddress=Email@Address.pl --> issuer = /C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailAddress=Email@Address.pl --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 110 to 192.168.5.206 port 1812 EAP-Message = 0x010500350d800000002b1403010001011603010020d58b10e81445170f5b3a07df4b0b9cc6c90a04cb00a9215b2303a7074c0b565e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfe779de4752e50ac7961d75b0b3cd68b Finished request 4 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 106 with timestamp 416c8b25 Cleaning up request 1 ID 107 with timestamp 416c8b25 Cleaning up request 2 ID 108 with timestamp 416c8b25 Cleaning up request 3 ID 109 with timestamp 416c8b25 Cleaning up request 4 ID 110 with timestamp 416c8b25 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=111, length=137 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0206001001636c69656e745f63657274 Message-Authenticator = 0x659f830775091d0596d8d123c643e7ce Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 111 to 192.168.5.206 port 1812 EAP-Message = 0x010700061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cf0290955410316037161120187ff6f Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.206:1812, id=112, length=145 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x3cf0290955410316037161120187ff6f EAP-Message = 0x02070006030d Message-Authenticator = 0xead712160624a93aea19ab90827edc27 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 112 to 192.168.5.206 port 1812 EAP-Message = 0x010800060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa0dd02d774a7a517afd24c34828db0e8 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.206:1812, id=113, length=219 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0xa0dd02d774a7a517afd24c34828db0e8 EAP-Message = 0x020800500d800000004616030100410100003d0301416cd877cfd575976ad8ed8b77cec7fe1c97a81ef419d19e8ef2786d17169eef00001600040005000a0009006400 Message-Authenticator = 0x045e0fdde9fe8bc0f05c25b6846a5525 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 8 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05ef], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0089], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 113 to 192.168.5.206 port 1812 EAP-Message = 0x0109040a0dc0000006d1160301004a020000460301416c8b35be097047d4cd35b23f5e2b4a476a576110e9cd8c19e4e9b56dc26ebd20cc05e73c0dc3b63d657e3bbeff EAP-Message = 0x40416464726573732e706c301e170d3034303531333132303735335a170d3035303531333132303735335a308184310b300906035504061302504c3115301306035504 EAP-Message = 0x45759cbeddff3459fa8ccee35dc481c8f6e6cf174513c108d649633a6caa0038a314e199755f39f9d101f1bb88c25871541dc116c77ffbc9c233acac6e065d777adeef EAP-Message = 0xecd9f6a7b38f00034d30820349308202b2a003020102020900996167278b7d0ab1300d06092a864886f70d01010505003077310b300906035504061302504c31153013 EAP-Message = 0x6d61310e300c060355040b13056669726d613110300e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0a996cc848b6e252a5e61a43b134ce9 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.5.206:1812, id=114, length=145 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0xe0a996cc848b6e252a5e61a43b134ce9 EAP-Message = 0x020900060d00 Message-Authenticator = 0xbcae487fabe5a67b7199abb7a39b84f8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 114 to 192.168.5.206 port 1812 EAP-Message = 0x010a02db0d80000006d10603550403140763615f61757468311f301d06092a864886f70d0109011610456d61696c40416464726573732e706c30819f300d06092a8648 EAP-Message = 0x23ae323081a90603551d230481a130819e801475f4eedcbb085c11b9589d6411eb3147bf23ae32a17ba4793077310b300906035504061302504c311530130603550408 EAP-Message = 0x043524308c73eb01d6ccff7a592b72757ced3e56868adb02662806fa383b2cb4e81f28222807064871595639ea30057f41cba7760c4a114f0e214e4d67345e95958299 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x10e8ef17c086eea40e96265d4c1c211d Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.5.206:1812, id=115, length=1151 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "client_cert" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x10e8ef17c086eea40e96265d4c1c211d EAP-Message = 0x020a03ee0d80000003e416030103b40b0002a40002a100029e3082029a30820203a003020102020900996167278b7d0ab4300d06092a864886f70d0101050500307731 EAP-Message = 0x6b69653110300e0603550407130757726f636c6177310e300c060355040a13056669726d61310e300c060355040b13056669726d61311430120603550403140b636c69 EAP-Message = 0xebd74539757ba335a9b237710203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101050500038181002103c5a49de9 EAP-Message = 0x7e0ce3792bb47a2a46722737d36f87e2ef8c35b4b684803b0aff3a79b7d97400c5d77dd738d4a04dea01a1058c0b3dbca14cf334629aee3e5f7aaff05ab312bfad6fd6 Message-Authenticator = 0xa2ad368a0ec2a1a2fbc5524f9c9e3455 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "client_cert", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 10 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 02a8], Certificate chain-depth=1, error=0 --> User-Name = client_cert --> BUF-Name = ca_auth --> subject = /C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailAddress=Email@Address.pl --> issuer = /C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailAddress=Email@Address.pl --> verify return:1 chain-depth=0, error=0 --> User-Name = client_cert --> BUF-Name = client_cert --> subject = /C=PL/ST=dolnoslaskie/L=Wroclaw/O=firma/OU=firma/CN=client_cert/emailAddress=Email@Address.pl --> issuer = /C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailAddress=Email@Address.pl --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 115 to 192.168.5.206 port 1812 EAP-Message = 0x010b00350d800000002b1403010001011603010020735b6dedb59fdb27811198c86a86bb2fdf2e96ce8f59031cc76f36b80bf1d04c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9f4e794b784914b1f67ff19696408712 Finished request 9 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 111 with timestamp 416c8b35 Cleaning up request 6 ID 112 with timestamp 416c8b35 Cleaning up request 7 ID 113 with timestamp 416c8b35 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 114 with timestamp 416c8b36 Cleaning up request 9 ID 115 with timestamp 416c8b36 Nothing to do. Sleeping until we see a request. On Fri, May 15, 2009 at 4:24 PM, Ivan Kalik <tnt@kalik.net> wrote:
And I put cliet_cert.pem to both certificate stores Trusted CA and Personal
You should import .p12 version onto the client.
Are you sure that I should not change anything in my server config files
Any particular reason you are creating certificates yourself? Why aren't you using scripts from raddb/certs directiory? Follow instructions in raddb/certs/ README.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bartosz Chodzinski wrote:
/etc/freeradius/certs/README
I've never understood why people think it's useful to post documentation from the server on this list. Do you think we haven't seen it?
and something happend: ( I think key information is TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) but uncle google find as many diferent answers as peple having this problem)
It means that you're running a server that is YEARS out of date. Why not use a more recent version?
log freeradius -X:
Sending Access-Challenge of id 115 to 192.168.5.206 port 1812 EAP-Message = 0x010b00350d800000002b1403010001011603010020735b6dedb59fdb27811198c86a86bb2fdf2e96ce8f59031cc76f36b80bf1d04c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9f4e794b784914b1f67ff19696408712 Finished request 9 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 111 with timestamp 416c8b35
This is in the FAQ. Go read it. Alan DeKok.
ok (you guys propably hate me :) but please could you still give me the answers as you did before) but back to the subject: I did like you said, I installed 2.0.4 version (compiled using suggestions from: http://www.fatofthelan.com/articles/articles.php?pid=27 http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-...) Next, I make a one change in eap.conf default_eap_type = peap #was md5 and I add my switch-client to clients.conf #cd /etc/freeradius/certs #rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* I edited: ca.cnf, client.cnf, server.cnf and I change line in everyone default_bits = 1024 #was 2048 next: #make ca ca.der dh random server client Then I make the copy of ca.der and client.p12 to Windows, both of them are installed in CA and Personal directory And two things: first one: when I open properites of client certificate on XP using mmc-certificates console I have the information that "Windows doesnt have enough information to verify this certificate" "You have proper private key to this certificate" (it is non-english system so its translation but I think translation is ok) second one: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 18 2009 at 12:50:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.5.0/24 { require_message_authenticator = no secret = "windows" shortname = "private-network-2" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=138, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0xc718b1d4b7b081aec676335c3b5212a5 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "example.com" for User-Name = " user@example.com" rlm_realm: Found realm "example.com" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "example.com" rlm_realm: Proxying request from user user to realm example.com rlm_realm: Preparing to proxy authentication request to realm " example.com" ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 188 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x313338 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 188 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x313338 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=188, length=140 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0xc54d60ff3ff696c5454632125d942c95 Proxy-State = 0x313338 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [user/<via Auth-Type = EAP>] (from client localhost port 50046 cli 00-0A-E4-13-1A-02) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 188 to 127.0.0.1 port 1814 Proxy-State = 0x313338 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=188, length=25 Proxy-State = 0x313338 +- entering group post-proxy rlm_eap: No pre-existing handler found ++[eap] returns noop Login incorrect (Home Server says so): [user@example.com/<no User-Password attribute>] (from client private-network-2 port 50046 cli 00-0A-E4-13-1A-02) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 138 to 192.168.5.206 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 188 with timestamp +17 Cleaning up request 0 ID 138 with timestamp +17 Ready to process requests.
I installed 2.0.4 version (compiled using suggestions from: http://www.fatofthelan.com/articles/articles.php?pid=27 http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-...)
If you downloaded current version, you wouldn't need to ask. You have to change makefile, so client certificates are signed by the ca and not server certificate. MS introduced that glitch post XP SP2.
second one: rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=138, length=147
...
User-Name = "user@example.com"
...
rlm_realm: Found realm "example.com" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "example.com" rlm_realm: Proxying request from user user to realm example.com
...
Sending Access-Request of id 188 to 127.0.0.1 port 1812 ... User-Name = "user" ... rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user.
You can't strip the username in EAP. Ivan Kalik Kalik Informatika ISP
Hi,
ok (you guys propably hate me :) but please could you still give me the answers as you did before) but back to the subject: I did like you said, I installed 2.0.4 version (compiled using suggestions from: http://www.fatofthelan.com/articles/articles.php?pid=27 http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-...)
you are using an old version, you are using random 3rd party instructions of dubious dates and knowledge.
first one: when I open properites of client certificate on XP using mmc-certificates console I have the information that "Windows doesnt have enough information to verify this certificate" "You have proper private key to this certificate" (it is non-english system so its translation but I think translation is ok)
this means you didnt install the CA - ensure you've added it to the trusted CA list in the system - use the certificate MMC Snapin.
second one:
original packet has this:
User-Name = "user@example.com"
this is then proxied to the system handling example.com:
rlm_realm: Looking up realm "example.com" for User-Name = " user@example.com" rlm_realm: Found realm "example.com" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Adding Realm = "example.com" rlm_realm: Proxying request from user user to realm example.com rlm_realm: Preparing to proxy authentication request to realm " example.com" ++[suffix] returns updated
..which then says this:
rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler
so..somewhere along the line you are playing with the User-Name attribute...something which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes to your eap.conf and clients.conf it will work. alan
so..somewhere along the line you are playing with the User-Name attribute...something which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes to your eap.conf and clients.conf it will work.
which Linux distribution should I use? So far I tryied debian-etchnhalf, or CentOS, and in every How to its written that I have to compile it by mysefl. This how to didnt work anyway... so I will try what you will suggest. Bartosz.
Hi,
which Linux distribution should I use? So far I tryied debian-etchnhalf, or CentOS, and in every How to its written that I have to compile it by mysefl. This how to didnt work anyway... so I will try what you will suggest. Bartosz.
theres nothing wrong with compiling it yourself - so long as you have the right dev libraries installed so all the bits you want get compiled.. you can check whats not going to be built be parsing the configure output eg ./configure --with-options-you-want | grep WARNING ignore the WARNING entries for things you care not about and fix the WARNING that you need (eap PEAP) by installing the needed libraries....eg openssl-devel some distros come with a more recent FreeRADIUS (or have RPM / PKG available for them - eg Fedora Core 11) the default config from the source build is pretty much ready for anything you want after just editing a few lines in the config (so long as the supporting code - eg EAP ) has been compiled alan
Ok, I downloaded 2.1.6 # unp freeradius-server-2.1.6.tar.gz # cd /usr/src/freeradius-server-2.1.6 # dpkg-buildpackage -rfakeroot -uc -us # dpkg -i freeradius_2.1.6-0_i386.deb - instalator create ca and server certs in /etc/freeradius/certs directory # cd /etc/freeradius/certs # make client next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate" http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu changes in /etc/freeradius/eap.conf only one line has been changed: default_eap_type = peap changes in /etc/freeradius/clients.conf client 192.168.5.0/24 { secret = password shortname = private-network-2 } log: #/etc/init.d/freeradius stop #freeradius -X FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on May 19 2009 at 09:45:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/control-socket group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.5.0/24 { require_message_authenticator = no secret = "windows" shortname = "private-network-2" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/freeradius/freeradius.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/freeradius/freeradius.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=193, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x51cdfd0449d610be4293f0896a9f8bb4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 3 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x313933 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 3 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x313933 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=3, length=140 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0xaaf6e92da743a415aa60c8bb9e22943b Proxy-State = 0x313933 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 3 to 127.0.0.1 port 1814 Proxy-State = 0x313933 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=3, length=25 Proxy-State = 0x313933 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 193 to 192.168.5.206 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 3 with timestamp +89 Cleaning up request 0 ID 193 with timestamp +89 Ready to process requests.
# make client
next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal
exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate"
This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. Ivan Kalik Kalik Informatika ISP
So in other words this script is for all clients exept microsofts-like ?
You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. do you have such altered makefile?
On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik <tnt@kalik.net> wrote:
# make client
next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal
exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate"
This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I created once again certs by myself, giving common name for user cert the same like in example user@example.com, I place them on xp client - both of them looks ok, now something is happening (anyway like Aragorn said: "still not king"): Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323036 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323036 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14, length=140 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633 Proxy-State = 0x323036 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 14 to 127.0.0.1 port 1814 Proxy-State = 0x323036 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14, length=25 Proxy-State = 0x323036 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 206 to 192.168.5.206 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 14 with timestamp +43 Cleaning up request 0 ID 206 with timestamp +43 Ready to process requests. On Tue, May 19, 2009 at 2:23 PM, Bartosz Chodzinski <bartosz.c@gmail.com>wrote:
So in other words this script is for all clients exept microsofts-like ?
You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. do you have such altered makefile?
On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik <tnt@kalik.net> wrote:
# make client
next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal
exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate"
This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I created once again certs by myself, giving common name for user cert the same like in example user@example.com, I place them on xp client - both of them looks ok, now something is happening (anyway like Aragorn said: "still not king"):
Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147 ... User-Name = "user@example.com" ... [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated ... Sending Access-Request of id 14 to 127.0.0.1 port 1812 ... User-Name = "user" ... Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. ...
Don't strip the username. Why do you proxy this anyway? Create it as a local realm: realm example.com { } Ivan Kalik Kalik Informatika ISP
Don't strip the username. Why do you proxy this anyway? Create it as a local realm: I am using basic configuration without changes in config cause:
so..somewhere along the line you are playing with the User-Name attribute...something which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes to your eap.conf and clients.conf it will work.
"make the basic changes to your eap.conf and client.conf it will work" it wont. are all of you had so many troubles with radius or only me has so bad luck I tried to make my first config a year ago, only have succes with eap=md5, after month figting with peap I gave up, now I have some communicates on screen, but answers "basic changes" are really not helpful. my realm example.com was: realm example.com { auth_pool = my_auth_failover } when I changed in proxy.conf it to realm example.com { } radius wont start #freeradius -X ... radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm example.com { } realm LOCAL { } realm NULL { } /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist
Bartosz Chodzinski wrote:
"make the basic changes to your eap.conf and client.conf it will work" it wont.
You can believe that, which means that everyone else is lying. They just download the software, follow the guides, and it "just works". But... because it doesn't work for you, they must be lying. Or, maybe you didn't follow the guides.
are all of you had so many troubles with radius or only me has so bad luck
Many people have problems. Those problems are almost always caused by doing *too much*, without understanding what they're doing.
my realm example.com was:
And here we have a problem. The EAP guides do NOT say to add realms. Why are you doing this? Follow the guides. Do nothing MORE than what the guides say. If you do NOT follow the guides, then do NOT complain that they don't work.
when I changed in proxy.conf it to
realm example.com { }
radius wont start ... realm example.com { }
So it IS loading the "example.com" realm.
realm LOCAL { } realm NULL { } /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist
Is it really that difficult to read the debugging output? 1) It loads the realm "example.com" just fine. No problems. 2) Line 498 of /etc/freeradius/proxy.conf refers to a home server that doesn't exist. This error has *NOTHING* to do with the realm example.com The issue here is that you are NOT following the guides, and you are NOT reading the debugging output. Alan DeKok.
could you give me good freeradius guide for dummies - I think I need it :) On Wed, May 20, 2009 at 9:30 AM, Alan DeKok <aland@deployingradius.com>wrote:
Bartosz Chodzinski wrote:
"make the basic changes to your eap.conf and client.conf it will work" it wont.
You can believe that, which means that everyone else is lying. They just download the software, follow the guides, and it "just works". But... because it doesn't work for you, they must be lying.
Or, maybe you didn't follow the guides.
are all of you had so many troubles with radius or only me has so bad luck
Many people have problems. Those problems are almost always caused by doing *too much*, without understanding what they're doing.
my realm example.com was:
And here we have a problem. The EAP guides do NOT say to add realms. Why are you doing this?
Follow the guides. Do nothing MORE than what the guides say.
If you do NOT follow the guides, then do NOT complain that they don't work.
when I changed in proxy.conf it to
realm example.com { }
radius wont start ... realm example.com { }
So it IS loading the "example.com" realm.
realm LOCAL { } realm NULL { } /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist
Is it really that difficult to read the debugging output?
1) It loads the realm "example.com" just fine. No problems.
2) Line 498 of /etc/freeradius/proxy.conf refers to a home server that doesn't exist. This error has *NOTHING* to do with the realm example.com
The issue here is that you are NOT following the guides, and you are NOT reading the debugging output.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bartosz Chodzinski wrote:
could you give me good freeradius guide for dummies - I think I need it :)
$ man radiusd It contains a section describing how to make changes to the configuration files. For EAP, see http://deployingradius.com The front page contains 4 steps to get EAP working. Follow the steps. Start with the DEFAULT configuration. Do NOT make changes unless the guide says to. EAP *will* work. Alan DeKok.
Hey People!, I am not saying that you are lying, I even didnt think like that, I never intend to insult you, for god sake, I am asking for help - that mean that you are the masters and I am the student yes, it annyoing me - I start to do something with radius cause I felt that is good idea to know how to do it, and how it works but I meet the wall I can't crush so I am often have to countig to 10 to stay on ground. back to the subject: proxy.conf proxy server { default_fallback = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = testing123 require_message_authenticator = no response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server virtual.example.com { virtual_server = virtual.example.com } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { # auth_pool = my_auth_failover #commented by me /by Ivan suggestion/ } realm LOCAL { } realm NULL { secret = password } On Wed, May 20, 2009 at 10:21 AM, Alan DeKok <aland@deployingradius.com>wrote:
Bartosz Chodzinski wrote:
could you give me good freeradius guide for dummies - I think I need it :)
$ man radiusd
It contains a section describing how to make changes to the configuration files.
For EAP, see http://deployingradius.com
The front page contains 4 steps to get EAP working. Follow the steps. Start with the DEFAULT configuration. Do NOT make changes unless the guide says to. EAP *will* work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bartosz Chodzinski wrote:
I am not saying that you are lying, I even didnt think like that, I never intend to insult you,
You're not insulting us. I am asking you to *think* about what you are saying.
yes, it annyoing me - I start to do something with radius cause I felt that is good idea to know how to do it, and how it works but I meet the wall I can't crush so I am often have to countig to 10 to stay on ground. back to the subject:
No. You are NOT listening. You are NOT following instructions. We do NOT want to see copies of your configuration. If your configuration is the SAME as the default, then we've already seen it many times. If your configuration is NOT the same as the default, then you are changing it after being told to NOT change it. Follow instructions and it will work. This is the LAST time I will say this. If you keep sending email that shows you are NOT following instructions, I will NOT respond to it. I cannot help you if you refuse to follow my instructions. Alan DeKok.
could you give me good freeradius guide for dummies - I think I need it :)
Guide: don't make any changes to the default configuration unless you know what you are doing. That's it. Server is configured by default to handle EAP-TLS. There is nothing that you need to do to make it happen. Now, about your problem: freeradius uses fake realm example.com - for examples. Of proxying, fail-over home servers, use of vitual servers etc. Why are *you* using it as well? These examples are not what you want to do. Use your own domain. For EAP-TLS - no modification needed. I have seen you going on about PEAP as well. If those users are also using format user@your_domain, then create local realm your_domain - it won't interfere with EAP-TLS and will create Stripped-User-Name that can be used for authentication. Ivan Kalik Kalik Informatika ISP
back to the begining and using the most simple conf. to be sure that I have clear configuration #apt-get remove freeradius #dpkg -P freeradius #dpkg -i freeradius_2.1.6-0_i386.deb server is Debian etchnhalf, it is virtual server on VMware ESX Server 3i, 3.5.0 now I have clear configuration and make simply changes changes: radiusd.conf proxy_requests = no #was yes, set to no cause I dont need it #$INCLUDE proxy.conf #was uncommented, see above eap.conf no changes at all clients.conf add a client - 192.168.5.0/24.... (client Cisco 2950) next I made client certificate (using standard scripts) #cd /etc/freeradius/certs #make client and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer Travel Mate 380 certificates installed in Trusted Root CA and Personal storages (I deleted all previous certs on that system) I still have a problem - described in prvious post
exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate" http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu but I am frightened to make any changes without your permision in /etc/freeradius/certs/Makefile, and evethough I have your permission I still dont know what to change I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I did not find what to change in this file
Ivan write:
Use your own domain. For EAP-TLS - no modification needed. I have seen you going on about PEAP as well. If those users are also using format user@your_domain, then create local realm your_domain - it won't interfere with EAP-TLS and will create Stripped-User-Name that can be used for authentication. I dont want to have a domain yet, all I want to have at the beggining: server radius + server certificate (common name: server_cert - signed by my_radius_CA) clients radius (cisco 2950) user radius (winxp) + client certificate (common name: client_cert - signed by my_radius_CA) no usernames, no password for usernames, no proxies, no domains at all
I used files - ca, server, client, da, random created by /etc/freeradius/certs/bootstrap script I know that I am at the start of the topic, I am listening, really. Bartosz. freeradius -X rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=226, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x9bcadf204cf30292cfb7f1abed75501b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 226 to 192.168.5.206 port 1812 EAP-Message = 0x0101001604108a193ba39f65974f35dc5b3140db877f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x495360bd49526405f11f72d516a953d3 Finished request 0. Going to the next request On Wed, May 20, 2009 at 11:38 AM, Ivan Kalik <tnt@kalik.net> wrote:
could you give me good freeradius guide for dummies - I think I need it :)
Guide: don't make any changes to the default configuration unless you know what you are doing. That's it.
Server is configured by default to handle EAP-TLS. There is nothing that you need to do to make it happen.
Now, about your problem: freeradius uses fake realm example.com - for examples. Of proxying, fail-over home servers, use of vitual servers etc. Why are *you* using it as well? These examples are not what you want to do.
Use your own domain. For EAP-TLS - no modification needed. I have seen you going on about PEAP as well. If those users are also using format user@your_domain, then create local realm your_domain - it won't interfere with EAP-TLS and will create Stripped-User-Name that can be used for authentication.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
next I made client certificate (using standard scripts) #cd /etc/freeradius/certs #make client and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer Travel Mate 380 certificates installed in Trusted Root CA and Personal storages (I deleted all previous certs on that system)
I still have a problem - described in prvious post
exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate" http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu but I am frightened to make any changes without your permision in /etc/freeradius/certs/Makefile, and evethough I have your permission I still dont know what to change
Yes, we have been through this before. Change mak clients in Makefile, so that it uses ca and not server certificate to sign client certificates. I would create changes and save them as Makefile.CA. Perhaps that can be added into the distribution, so you would just rename Makefile to Makefile.old and Makefile.CA to Makefile in order to make this switch (and add comments about that in README file).
I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I did not find what to change in this file
Because that's openSSL stuff, not Freeradius. If you don't know what to change, I will post this file overnight, when I have a bit more time.
Ivan write:
Use your own domain. For EAP-TLS - no modification needed. I have seen you going on about PEAP as well. If those users are also using format user@your_domain, then create local realm your_domain - it won't interfere with EAP-TLS and will create Stripped-User-Name that can be used for authentication. I dont want to have a domain yet, no usernames, no password for usernames, no proxies, no domains at all
Yet:
User-Name = "user@example.com"
you created the user with the domain. As I said previously, there are preset example files in the default configuration. You need to alter clent.cnf and enter details for your test user without the domain in the name. If you need guidance about altering those files you should look it up on openSSL site. Ivan Kalik Kalik Informatika ISP
Bartosz Chodzinski wrote:
back to the begining and using the most simple conf. ... now I have clear configuration and make simply changes
changes: radiusd.conf proxy_requests = no #was yes, set to no cause I dont need it
The guide didn't say to do that. ...
I still have a problem - described in prvious post
The steps you took show that you are NOT following the guide. Good luck. You clearly are *not* interested in solving the problem. Alan DeKok.
The steps you took show that you are NOT following the guide. Good luck. You clearly are *not* interested in solving the problem.
the guide in radiusd.conf says: #The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. I tried to read carefully with undrestanding, I dont use proxy, my system not sending request to another server, so I turned it off. On Wed, May 20, 2009 at 1:35 PM, Alan DeKok <aland@deployingradius.com>wrote:
Bartosz Chodzinski wrote:
back to the begining and using the most simple conf. ... now I have clear configuration and make simply changes
changes: radiusd.conf proxy_requests = no #was yes, set to no cause I dont need it
The guide didn't say to do that.
...
I still have a problem - described in prvious post
The steps you took show that you are NOT following the guide.
Good luck. You clearly are *not* interested in solving the problem.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The steps you took show that you are NOT following the guide. Good luck. You clearly are *not* interested in solving the problem.
the guide in radiusd.conf says: #The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. I tried to read carefully with undrestanding, I dont use proxy, my system not sending request to another server, so I turned it off.
You might not want to, but you *are* proxying your requests. You have created client certificate with predefined data in client.cnf - which is part of the proxy demonstration setup. So, leave proxy settings alone and concentrate on doing what you have been advised - changing data in client.cnf so created client certificate won't have @example.com as part of the username. Ivan Kalik Kalik Informatika ISP
ok I changed it to default proxy_requests = yes $INCLUDE proxy.conf /etc/freeradius/certs/Makefile was #client.crt: client.csr server.crt server.key index.txt serial # openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf is now: client.crt: client.csr ca.pem ca.key index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf changes in client.cnf was: certificate = $dir/server.pem serial = $dir/serial private_key = $dir/server.key commonName = user@example.com is now: certificate = $dir/ca.pem serial = $dir/serial private_key = $dir/ca.key commonName = user_certificate now after instalation ca.der and client.p12 in windows everything in certificate stores seams to be ok. there is no exclamation mark on user_certificate, and certification path is ok back to the server: Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=240, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user_certificate" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001501757365725f6365727469666963617465 Message-Authenticator = 0x0d65a52fd78035c3c828c30d2a2442d9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user_certificate", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 240 to 192.168.5.206 port 1812 EAP-Message = 0x0101001604100c91af03e9cd5c25126407d36f22684a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb5a5cfd0b5a4cb20491e5ee122e4a622 Finished request 0. Going to the next request On Wed, May 20, 2009 at 2:39 PM, Ivan Kalik <tnt@kalik.net> wrote:
The steps you took show that you are NOT following the guide. Good luck. You clearly are *not* interested in solving the problem.
the guide in radiusd.conf says: #The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. I tried to read carefully with undrestanding, I dont use proxy, my system not sending request to another server, so I turned it off.
You might not want to, but you *are* proxying your requests. You have created client certificate with predefined data in client.cnf - which is part of the proxy demonstration setup. So, leave proxy settings alone and concentrate on doing what you have been advised - changing data in client.cnf so created client certificate won't have @example.com as part of the username.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
realm example.com { } realm LOCAL { } realm NULL { } /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist
thats very interesting - because in the default proxy.conf there IS an entry for home_server localhost. so, I'll repeat once again, do not just randomly edit and remove config entries. just change or add the few lines that you need and 'it will work' I'm not lying - i've been using this software since the very early days when it didnt 'just work' - going through the 1.0.x and 1.1.x where it started to work and now with the joys of 2.1.x where its pretty amazingly almost ready for production use with little or no changes! alan
What "doesn't work"? Post the debug. server: I dont change in my config file, is the same like in first message,
client (win xp): I have local connection->authentication->method->eap(peap)->properties: validate server cert (marked checkbox), marked cacert.pem, secured password eap-mschapv2 - use my windows logon
it work's properly, but only with correct user/pass in /etc/freeradius/users file
OK. That's PEAP.
now I change local connection->authentication->method->smart card or other certificate->properities: validate server cert (marked checkbox), marked cacert.pem, local connection->authentication->keep in memory inf about users for aditional network connection (unmarked checkbox - when marked nothing happend at all)
debug
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 rlm_eap: Identity does not match User-Name, setting from EAP Identity.
The name on the certificate is not the same as that User-Name. Fix that. Ivan Kalik Kalik Informatika ISP
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Bartosz Chodzinski -
Ivan Kalik