Re : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
installing ca.der and putting user && pass into client machine, the authentication doesn't work?
-- no, it doesn't!
you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module.
-- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory.
I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication.
my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it.
If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate.
see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: "PEAP or TTLS and Microsoft Vista". Sex, 2008-07-25 às 17:10 +0000, Reveal MAP escreveu:
installing ca.der and putting user && pass into client machine, the authentication doesn't work?
-- no, it doesn't!
you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module.
-- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory.
I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication.
my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it.
If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate.
see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ #
:/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b)
thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
______________________________________________________________________ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nf-vale escribió:
Are you using vista supplicant? By reading the last lines of your radius debug file it seems so...
See earlier posts with subject: "PEAP or TTLS and Microsoft Vista".
Sex, 2008-07-25 às 17:10 +0000, Reveal MAP escreveu:
installing ca.der and putting user && pass into client machine, the
authentication doesn't work?
-- no, it doesn't!
you only need ca.der but, if you have an active directory like
LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module.
-- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory.
I don't know if it is your problem, but I suppose that comunication
between ldap server and radius can have different certificates, from different ca's than eap comunication.
my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it.
If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate.
see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ #
:/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b)
thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
______________________________________________________________________ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no, I have this error using both linux wpa_supplicant and xp3. I have wpa_supplicant running ok with another two eap modules, but not with default pki.I'm really "flipado" (I don't know the exact translation of "flipado", but seems to very very very very ......surprised) because i've tried a lot of things to solve it. I think learning english it's a good begining, jejeje. Thanks
Reveal MAP escribió:
installing ca.der and putting user && pass into client machine, the authentication doesn't work?
-- no, it doesn't!
you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module.
-- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory.
I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication.
my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it.
If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate.
see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ #
:/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b)
thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
but I think you don't have any problem with certificates, looking at radius debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established the client is telling you that has verified the server cert (against ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase is finished. I think you have problems with mschapv2 phase, assuming your sql querys working. Your problem begin here: rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password expand: --username=%{mschap:User-Name} -> --username=glouglou I think...... I've never configured peap/mschapv2 but sometimes i've read, not carefully, about some dependencies between mschap module and mschapv2 or something like that. hope this help you
see the logf there: http://tinypaste.com/5b99b
Your problem is nothing to do with certificates. The PEAP tunnel gets setup correctly, the MS-CHAP client->server auth succeeds, but the final server->client (mutual) auth appears to fail. This could be for a number of reasons, but it's a problem at the client side. You will need to debug it at the client side.
participants (4)
-
nf-vale -
Phil Mayers -
Reveal MAP -
Sergio