Hi, I do not succeed to authenticate others client in mine system. I have used three scripts to generate certs root, server and client (with xpextension). They exist of the certs for multi clients to use for eap-tls? Somebody it has of the councils on like making? thanks Matteo
On 8/29/06, Lazzarini Matteo <MLazzarini@crema.unimi.it> wrote:
I have used three scripts to generate certs root, server and client (with xpextension). They exist of the certs for multi clients to use for eap-tls? Hi,
Which scripts? I'm not sure what your last sentence means. Afaik you should give out one (client) certificate per user. Whats the debugging output? Supposing it's the *same* problem as with your previous tests regarding eap-peap/mschapv2 did you check for the hint Alan gave? Furthermore the whole range suggested in <44EC33BA.5060105@c-lab.de> might be useful. (regarding #1, please see http://lists.shmoo.com/pipermail/hostap/2006-July/013673.html ). While perhaps being the most cumbersome, a full capture like suggested might be also most instructive. The nas log you showed in <44EC921B.1010706@crema.unimi.it> sadly isn't very concise. But as it somehow mentiones an EAP-Response with your desired username, it would be good to know if/when/how it sends those out to freeradius, as they seem to get lost. So capturing the traffic between nas and freeradius would be a good idea also. If that doesn't give yourself any clues, I'd suggest providing url's where to download those informations. Please don't try to put some digested information into an line mangling mua or an eventually similar way of making it unnecessary hard to look into it for those trying to help. regards K. Hoercher
OK. First of all I make excuses myself for my little precise English. :-( The scripts about which I speak they are those inside of the "scripts" directory of freeradius sources. (CA.all) I use the client's certificate (cert-clt.p12) for my user who connects itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. What I wanted to know is if there is a way in order to obtain more certs for others client of the wlan. The CA.all script generates me only 1 server, 1 client and 1 root.... Thanks -----Messaggio originale----- Da: freeradius-users-bounces+mlazzarini=crema.unimi.it@lists.freeradius.org per conto di K. Hoercher Inviato: mar 29/08/2006 14.51 A: FreeRadius users mailing list Oggetto: Re: EAP-TLS multi clients On 8/29/06, Lazzarini Matteo <MLazzarini@crema.unimi.it> wrote:
I have used three scripts to generate certs root, server and client (with xpextension). They exist of the certs for multi clients to use for eap-tls? Hi,
Which scripts? I'm not sure what your last sentence means. Afaik you should give out one (client) certificate per user. Whats the debugging output? Supposing it's the *same* problem as with your previous tests regarding eap-peap/mschapv2 did you check for the hint Alan gave? Furthermore the whole range suggested in <44EC33BA.5060105@c-lab.de> might be useful. (regarding #1, please see http://lists.shmoo.com/pipermail/hostap/2006-July/013673.html ). While perhaps being the most cumbersome, a full capture like suggested might be also most instructive. The nas log you showed in <44EC921B.1010706@crema.unimi.it> sadly isn't very concise. But as it somehow mentiones an EAP-Response with your desired username, it would be good to know if/when/how it sends those out to freeradius, as they seem to get lost. So capturing the traffic between nas and freeradius would be a good idea also. If that doesn't give yourself any clues, I'd suggest providing url's where to download those informations. Please don't try to put some digested information into an line mangling mua or an eventually similar way of making it unnecessary hard to look into it for those trying to help. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK. First of all I excuseme for my English. :-( The scripts about which I speak they are those inside of the "scripts" directory of freeradius sources. (CA.all) I use the client's certificate (cert-clt.p12) for my user who connects itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. There is a way to obtain more certs for others clients of the wlan (multi-clients). The CA.all script generates me only 1 server, 1 client and 1 root.... Thanks -----Messaggio originale----- Da: freeradius-users-bounces+mlazzarini=crema.unimi.it@lists.freeradius.org per conto di K. Hoercher Inviato: mar 29/08/2006 14.51 A: FreeRadius users mailing list Oggetto: Re: EAP-TLS multi clients On 8/29/06, Lazzarini Matteo <MLazzarini@crema.unimi.it> wrote:
I have used three scripts to generate certs root, server and client (with xpextension). They exist of the certs for multi clients to use for eap-tls? Hi,
Which scripts? I'm not sure what your last sentence means. Afaik you should give out one (client) certificate per user. Whats the debugging output? Supposing it's the *same* problem as with your previous tests regarding eap-peap/mschapv2 did you check for the hint Alan gave? Furthermore the whole range suggested in <44EC33BA.5060105@c-lab.de> might be useful. (regarding #1, please see http://lists.shmoo.com/pipermail/hostap/2006-July/013673.html ). While perhaps being the most cumbersome, a full capture like suggested might be also most instructive. The nas log you showed in <44EC921B.1010706@crema.unimi.it> sadly isn't very concise. But as it somehow mentiones an EAP-Response with your desired username, it would be good to know if/when/how it sends those out to freeradius, as they seem to get lost. So capturing the traffic between nas and freeradius would be a good idea also. If that doesn't give yourself any clues, I'd suggest providing url's where to download those informations. Please don't try to put some digested information into an line mangling mua or an eventually similar way of making it unnecessary hard to look into it for those trying to help. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 8/29/06, Lazzarini Matteo <MLazzarini@crema.unimi.it> wrote:
First of all I excuseme for my English. :-(
Ah no problem, after it got sorted out.
itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication.
Grats. So it was just my pessimism to suppose there are still issues.
The CA.all script generates me only 1 server, 1 client and 1 root....
Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA. regards K. Hoercher
K. Hoercher wrote:
On 8/29/06, Lazzarini Matteo <MLazzarini@crema.unimi.it> wrote:
First of all I excuseme for my English. :-(
Ah no problem, after it got sorted out.
itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication.
Grats. So it was just my pessimism to suppose there are still issues.
The CA.all script generates me only 1 server, 1 client and 1 root....
Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA.
regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have need of certs for 3 clients, for some tests on freeradius with a sniffer that it capture the input . Therefore I want certs of test the type which already use, generated with the CA.all script. How I can make 3 certs for distinct for the clients? Is it possible to modify CA.all in order to create certs for 1 root, 1 serveur and 3 or more client certs for EAP-TLS (xpextension incuded)? Someone knows gives me of the information also on the guides who can help me? Thousand thanks for all Matteo ;-)
Matteo Lazzarini wrote:
K. Hoercher wrote:
On 8/29/06, Lazzarini Matteo <MLazzarini@crema.unimi.it> wrote:
First of all I excuseme for my English. :-(
Ah no problem, after it got sorted out.
itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication.
Grats. So it was just my pessimism to suppose there are still issues.
The CA.all script generates me only 1 server, 1 client and 1 root....
Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA.
regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have need of certs for 3 clients, for some tests on freeradius with a sniffer that it capture the input . Therefore I want certs of test the type which already use, generated with the CA.all script. How I can make 3 certs for distinct for the clients? Is it possible to modify CA.all in order to create certs for 1 root, 1 serveur and 3 or more client certs for EAP-TLS (xpextension incuded)? Someone knows gives me of the information also on the guides who can help me? Thousand thanks for all
Matteo ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Someone knows to give to me of info/help? Thanks
Hi, Well, as I have already told you, you should look for information regarding ssl (so, openssl.org is a most prominent starting point), which isn't a freeradius issue and as such is off topic here. In any event, even if it were, to keep pounding this list, because nobody did serve immediately to your needs, is considered not very nice. hth K. Hoercher
participants (3)
-
K. Hoercher -
Lazzarini Matteo -
Matteo Lazzarini