Hi Ivan, ok could you let me know what do i need to alter in the Make File. Just wanted to make sure i dont do something wrong here What are the steps that i need to take to do this. I can see a Makefile in /etc/raddb/certs Thanks Devinder 2009/8/4 Ivan Kalik <tnt@kalik.net>:
OK, I think this is the issue where Windows refuses to accept server certificate as the intermediate CA. You should alter Makefile in certs to sign client certificates with CA and not server certificate.
Ivan Kalik Kalik Informatika ISP
Hi Ivan
I still get the same error now
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 03b2], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> devinder@palettemm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 141 to 203.121.4.59 port 6001 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 1 ID 135 with timestamp +120 Cleaning up request 2 ID 136 with timestamp +120 Cleaning up request 3 ID 137 with timestamp +120 Cleaning up request 4 ID 138 with timestamp +120 Cleaning up request 5 ID 139 with timestamp +120 Cleaning up request 6 ID 140 with timestamp +120 Waking up in 1.0 seconds. Cleaning up request 7 ID 141 with timestamp +120 Ready to process requests.
2009/8/4 Devinder Singh <devinbhullar@gmail.com>:
Ok i took your advise and yes its a diffeenrent error now
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 203.121.4.59 port 6001, id=134, length=181 User-Name = "devinder@palettemm.com" NAS-IP-Address = 203.121.4.59 Called-Station-Id = "00-20-a6-6c-49-9d:palstaff" Calling-Station-Id = "00-04-23-7b-56-b9" NAS-Identifier = "ORiNOCO-AP-700-6c-49-9d" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203001b01646576696e6465724070616c657474656d6d2e636f6d Message-Authenticator = 0xb7f29ed2232abda7b5b24bb131883617 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "palettemm.com" for User-Name = "devinder@palettemm.com" [suffix] No such realm "palettemm.com" ++[suffix] returns noop [eap] EAP packet type response id 3 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry devinder@palettemm.com at line 94 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 134 to 203.121.4.59 port 6001 EAP-Message = 0x010400160410edd3007f1e599b71120693ed62eaee7c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17b5db9117b1dfd16583cca5ed9db022 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 134 with timestamp +1 Ready to process requests.
2009/8/4 Devinder Singh <devinbhullar@gmail.com>:
HI Ivan
Thanks. Yes i have double click on the ca.der file and client.p12 both were installed successfuly.
I also manaed to set up my SSID palstaff and when i click on the SSID i see a pop up windows on my wireles LAN asking for my username on certificate and i selected
devinder@palettemm.com from the combo drop down list and click OK
when i click OK radius reports the following error
TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> devinder@palettemm.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 133 to 203.121.4.59 port 6001 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. Cleaning up request 0 ID 127 with timestamp +18 Cleaning up request 1 ID 128 with timestamp +18 Cleaning up request 2 ID 129 with timestamp +18 Cleaning up request 3 ID 130 with timestamp +18 Cleaning up request 4 ID 131 with timestamp +18 Waking up in 0.2 seconds. Cleaning up request 5 ID 132 with timestamp +18 Waking up in 1.0 seconds. Cleaning up request 6 ID 133 with timestamp +19 Ready to process requests.
2009/8/4 Ivan Kalik <tnt@kalik.net>:
I mnaged to follow the steps in /etc/raddb/certs/README
and copied ca.der and client.p12 to XP machine
It looks like you have copied them but not installed them in the certificate store. Double-click the certificates and install them first.
Ivan Kalik Kalik Informatika ISP
-- Devinder
-- Devinder
-- Devinder
-- Devinder
participants (1)
-
Devinder Singh