Hi, I had a working FreeRadius 1.1.6 installation and running XP Pro SP3 with EAP/TLS on an Ethernet-Port. I use Linksys switches as authenticators. I think since end December (after I went into the xmas holidays) the Radius-Auth stopped working. I changed nothing at the Freeradius-Server. I suspect an MS-Update, major-security updates are rolled out automatically here. But I don't know which one. I made a debug with radiusd -X -A. The conversation looks normal, but at the end, I miss the "Login OK" Statement, it looks like the conversation is not finished and falls asleep. I don't see an error. Can anyone look over it please to give me a hint, where to look? TIA Alex Debug: rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0, length=101 NAS-IP-Address = 10.48.250.10 NAS-Port-Type = Ethernet NAS-Port = 7 User-Name = "host/hfs-080806-02" EAP-Message = 0x0217001701686f73742f6866732d3038303830362d3032 Message-Authenticator = 0xcd421dbdb5fcc2e7692fe75fcbfd5892 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_eap: EAP packet type response id 23 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry host/hfs-080806-02 at line 3 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 0 to 10.48.250.10 port 49154 EAP-Message = 0x011800060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x793054942f9417f5a0886c08dd4a0e4e Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0, length=183 NAS-IP-Address = 10.48.250.10 NAS-Port-Type = Ethernet NAS-Port = 7 User-Name = "host/hfs-080806-02" State = 0x793054942f9417f5a0886c08dd4a0e4e EAP-Message = 0x021800570d800000004d16030100480100004403014d219685836869e950cfbb8e7ae7a18a95c8871d059171695d24fd163d12cec600001600040005000a0009006400620003000600130012006301000005ff01000100 Message-Authenticator = 0x714b3ff58781c8329f0cebcbf99bc3e2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_eap: EAP packet type response id 24 length 87 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry host/hfs-080806-02 at line 3 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0048], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ed5], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 0 to 10.48.250.10 port 49154 EAP-Message = 0x0119040a0dc000000feb160301004a0200004603014d2195c9e75e9057262ca89fcdd70206a44718c85887fd8a1ee0267568b1cee120013b9c1ff336b6d8838eeb017dbf377c9c69f6e387eeda5ee9daedd8336849600004001603010ed50b000ed1000ece00075c3082075830820540a003020102020162300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543 EAP-Message = 0x656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3037303831333038333434385a170d3132303831313038333434385a308189310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312730250603550403131e7261646975732e76657277616c74756e672e6b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082 EAP-Message = 0x020a02820201009d061598c850223454cb70a58cae0a1ac2db0b6a963d25c96c632b1eb2a9177e3e8a066fa9c3596c4a1b035def3b6c589a12209a6d7ab7aa4144de890803c34cb5239cdb3b7266426049d475ed3e354fe494dee46a17e7478065c7332f6ac621d9b754d46812dc4ffda7a39bf33987fbe6951a591aee791c9468cc70f5a821683640675bafea24fe5291d6750c30a1b0a4c52cbeb6a18ce514038432f3dc83ce12657de67976dff9a7643b7ad340240e5e69385355b64d3e77f4bb0dfbc8fd63258a308c2a6e82f9c0c92e7e4ccadf848cc3bb57d592dcf46930c794fa0b338c9db103b9a7162352ff8cac3b680d64ec0b865bf74778 EAP-Message = 0x839cd1530d79ba553a2bd9ffb112534cd758bb3b3dba26037ed1c158089af8903e9f5b684061ddd413fb192cfc5024c03b177184101d68bc7111ccdcb6bee8c98d1642bbc547e8211dab2fd5d45488da089a17edaa9b4dd4357d4adcb0e33553210a5ad0e84edc9f9a769297649672d5f78e2f3687e99c411abea88e0363fe1afb7dcf05a8838ef07cec88337f903a94a6207893b5e9ff80441a12b6847ff008eb8c257878f6711a8f8c053315d4ae87b36661cdee73a3cbaca92d14f480804c7476d36665c417db9c954795423ca49de599eb3ed3a6cc55f03bad529359b0a55e5bffa9cf65b3034d48c263c491b24ad9f9f74b6ea9cea17710efc22b EAP-Message = 0xc0d77f58b0a5d3589ab19f13f90203010001a38201a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdd9f396cf15641e0754754ce9e335224 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0, length=102 NAS-IP-Address = 10.48.250.10 NAS-Port-Type = Ethernet NAS-Port = 7 User-Name = "host/hfs-080806-02" State = 0xdd9f396cf15641e0754754ce9e335224 EAP-Message = 0x021900060d00 Message-Authenticator = 0x575c7e249430d63e09b6143649ca5d05 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_eap: EAP packet type response id 25 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry host/hfs-080806-02 at line 3 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 0 to 10.48.250.10 port 49154 EAP-Message = 0x011a040a0dc000000feb308201a230090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e0416041442a94a9f048871b178d41a5d00a5668e78c045ff3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543 EAP-Message = 0x656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301d0603551d1104163014811273632d6974406b682d6265726c696e2e646530160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038202010027ddc002c4835bb38b2152a1b93fc65419a91436bcd3e9e4f37b0eaf35498333305a12229d454d797f8cd3e678f0e73467237638ddec EAP-Message = 0x79c4e1f00fc72f18d51dc7658843c2855f5dcb3cc13b10730a5d9f99992e4924d9e28e1f7d12d285d815c734f8c63815124e5cc49d15777d233f7e3b1133c0773d3703e10a70203dc3557185bf629d1d2482d548d3b56f6ca28b7555b971c00899395a5c23a1378f495acbfe162b6929e63bd5c3bb20bb4268d9269235451378e34fde7df5a9392595a3d8c8d889e90a7dc934dce6d61b5cdec3f6652de92ba8786f4a0dffb00a0306873ecd695681eef4ec7cd5861dace26b6504f1ad1899f199ce4a121a3a37197ffe8145e4aee40b6a3fd627088908db8650557b984d447f3c65a6a697672bd242e260493073ee5532d2f4e3c6907332808995a54f EAP-Message = 0xa0c690bd3bdc09c2872280185e5a1e4b999241374ceaf16233fd91b124a65652bfd76cdc0735a06c4fb0197a919ad53d4f2953194e5c8def3884a10e95905dbe338dd2fdb9b997114a023866731016ed5195940ff9f8b1c85994c3fc52e6226d93e8bdebefed24376bae1c923813ea1b7c1d8bc5547a82258696ee03b2ee3b03bff43f28bd340219aaa58bfd28d6767c54269fe907b196157db92c807c693e3f01c81af0145b66af36ae839b4d8add58891ee3a64428c285942cc38c151b113084e252c094f196ab2927078fd100076c3082076830820550a003020102020900890d6f61ac0ce005300d06092a864886f70d01010505003081aa310b30 EAP-Message = 0x09060355040613024445310f300d0603550408130642 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x805e028e859aa0f88cfd562748aaba95 Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0, length=102 NAS-IP-Address = 10.48.250.10 NAS-Port-Type = Ethernet NAS-Port = 7 User-Name = "host/hfs-080806-02" State = 0x805e028e859aa0f88cfd562748aaba95 EAP-Message = 0x021a00060d00 Message-Authenticator = 0xb2e0f50abf1596f8862ed87864157eda Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_eap: EAP packet type response id 26 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry host/hfs-080806-02 at line 3 modcall[authorize]: module "files" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 0 to 10.48.250.10 port 49154 EAP-Message = 0x011b040a0dc000000feb65726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3035303930353038303532355a170d3135303930333038303532355a3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048 EAP-Message = 0x664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100c4e58d7b46104aaed067a7f4e2c0bce5fd30388b52102731e8ae991947c14547ca41753f07ee2f50c4374b00950c83165fce3e38cdf4b4749dce3641ce01e450a7f1e53de6997ac4a19b93cc212b2cfb5425c7b1421b89951478dadba32ce7c00421c9791d1af1b38e9ce04141c724d866 EAP-Message = 0xfb11c06bd13a626f830825d002beccae484fcaa3840fdab94afdd1e454155451678ecb4ae36c1628afce08a8622736e5f29360512174ffa60a3a713794d781efa85d83c6df6cc78262910cb757c515450569cd668cdb29a709e3f8d52dde54c69e2b84b0be385347948e360e4095499957b42d0a918cbc647a2377c0c26e0925f386d520f0bc2f25b206a93075e9382d590f4724352edc61a0e497dece898c31ca22c4320d02b55bb519c90f228fcbd6f1d72057245e35a3170a354b207ef1f2a61585256e493bff8b363075452e21cbb5cb26167d8d1201c41911569768a99eea5cff0fb0458e5615e42e8aec5417f2493f5b81cf7b9cdb4ad1995c0c EAP-Message = 0x8bced370d073ee8eefb21f833372027c4fcb84c23c73d1b44df6f5ca34e0d9f674900f9ddf1340179016868a3697a807624dd8f0ff7aea8460241df0a8a74eb8b0151171395155db1fd0b87be63c7047fda731126880bf2228332a38f11ac024cb944d68ce72da5f43d73609e82f92486f4eaad235b104ae3c93061600b3a54e895841eac966309ad0c18cccf17453210f450203010001a382018d30820189301d0603551d0e04160414b939b6ce8a52912eaece162418b1f4d8303d042e3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d06 EAP-Message = 0x0355040813064265726c696e310f300d060355040713 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb6b3d2f0a12aec39a8b4f8e2aec32085 Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0, length=102 NAS-IP-Address = 10.48.250.10 NAS-Port-Type = Ethernet NAS-Port = 7 User-Name = "host/hfs-080806-02" State = 0xb6b3d2f0a12aec39a8b4f8e2aec32085 EAP-Message = 0x021b00060d00 Message-Authenticator = 0xf2d26dcc1e1b911c078c3a416ea3c8a1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_eap: EAP packet type response id 27 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 users: Matched entry host/hfs-080806-02 at line 3 modcall[authorize]: module "files" returns ok for request 10 modcall: leaving group authorize (returns updated) for request 10 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 10 modcall: leaving group authenticate (returns handled) for request 10 Sending Access-Challenge of id 0 to 10.48.250.10 port 49154 EAP-Message = 0x011c03f50d8000000feb064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005300f0603551d130101ff040530030101ff301106096086480186f842010104040302010630090603551d1204023000302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d11041630 EAP-Message = 0x14811273632d6974406b682d6265726c696e2e6465300b0603551d0f040403020106300d06092a864886f70d0101050500038202010060f0ab4236cda26ba7ceaedfd61052c52b73e1e028ffe29171395f9074e4beee7eab73afc427c17cd0f37e96c7af6eda553a92b2b426f723c283c8ea027f3ab17c93d1ffa7c8a29fedbc83f11f8731a140393c56aceffae318f7ebbca367fed9280513ce2cfad1257c59f056e3898e928f968baa6c3cc094ca50b9072674b8fa43ab0e31c4a7a54eb8f96ad4d275011a449807c3abe4865d8f837ee4d8db0c081af218c00a878d4c7e30268282034b35a666b8295eb53ee41bcda9345a7d48fdb7dc306180df06 EAP-Message = 0xec546e826d73d7dd62bf449c6eb948aa85c808893b308a32636cb151b044b839fc382f8623863d7ac78b7bf3e0f2c1ac4c8a69b9184e58733d966120ce334ab7212f23b85a8e8d5b2ada0f4cc7cb981fafd3585c398b351a06870271c71e537b4010a7d2914151b076a5f4094d1ab64e46a93dbba7456fa75be4006a172f6824219fad1b4c95322c6b9a1703515545ebbdae485fa994ac81fb8d308cdb58038d6c95c15d29f0a317e03877225eebe3647f28dc2361d7fb1894231e475805ec5e95ab5a37c96c70b000695caee3562f474af69b11fc67ccf54e9f0f1d1adc2c9038d56a9fa3454320444843fe38e00de285cb9120b24416fa909c259b52 EAP-Message = 0xd069e64d0d9faa37c336f8bd3a8128a8f5e244029a5ded25e10bfc551dc08730e133a4e4b744cf3d8c038d38b1692c1d4876f92d109efcf136355c2216030100bd0d0000b50301020500af00ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e64650e0000 EAP-Message = 0x00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb96e1a3a059b60b96d74ce260c86a0c5 Finished request 10 Going to the next request Waking up in 6 seconds...
Alexandros Gougousoudis wrote:
I had a working FreeRadius 1.1.6 installation and running XP Pro SP3 with EAP/TLS on an Ethernet-Port. I use Linksys switches as authenticators. I think since end December (after I went into the xmas holidays) the Radius-Auth stopped working. I changed nothing at the Freeradius-Server. I suspect an MS-Update, major-security updates are rolled out automatically here. But I don't know which one.
See if your certificate has expired. Alan DeKok.
Alan DeKok schrieb:
See if your certificate has expired.
Nope, that was the first I've checked. Server and client-cert are still valid. It seems, that no XP client (even some old SP2 clients) can logon anymore, Ubuntu can. Is there some possibility to force a "Login OK" as a Default-Action in the "users"-file? That could take out the pressure here. TIA Alex
On 01/03/2011 11:09 AM, Alexandros Gougousoudis wrote:
Alan DeKok schrieb:
See if your certificate has expired.
Nope, that was the first I've checked. Server and client-cert are still valid. It seems, that no XP client (even some old SP2 clients) can logon anymore, Ubuntu can.
Is there some possibility to force a "Login OK" as a Default-Action in the "users"-file? That could take out the pressure here.
No. EAP must complete successfully - it is a challenge/response. You can't just skip to the end of the "response". To be clear, all windows clients fail? But other clients succeed? It is possible a windows update has removed the intermediate certificate from the client(s). IIRC Microsoft have done this in the past, expecting the intermediate CA to be provided during TLS negotiation. In this case, you need to have the correct CA (chain) at the FreeRadius side. Have you got this configured correctly? It won't help running such an old version of FreeRadius.
Hi Phil, Phil Mayers schrieb:
To be clear, all windows clients fail? But other clients succeed? Exactly, Ubuntu can authenticate, all XP not. It is possible a windows update has removed the intermediate certificate from the client(s). IIRC Microsoft have done this in the past, expecting the intermediate CA to be provided during TLS negotiation. In this case, you need to have the correct CA (chain) at the FreeRadius side. Have you got this configured correctly? Yes, Server cert/key and Client cert/key origin from the same CA, which is also present at the radius-server. At least that wasn't a problem since 2 years, after I worked out how to use Radius with XP SP3.
It won't help running such an old version of FreeRadius. Yes, but it was enough for us, since we don't need Vista and Win 7 support. I'am working currently on Debian Lenny to make the 2.10 coming over lenny-backports work. But it's not easy and I don't know if it fixes the problem. I think an MS security-update killed the radius authentification.
Is anyone having a working auth with Freeradius und a fully patched XP Pro SP3? TIA Alex
On 01/03/2011 09:40 AM, Alexandros Gougousoudis wrote:
Hi,
I had a working FreeRadius 1.1.6 installation and running XP Pro SP3
That's really old. Upgrade.
with EAP/TLS on an Ethernet-Port. I use Linksys switches as authenticators. I think since end December (after I went into the xmas holidays) the Radius-Auth stopped working. I changed nothing at the Freeradius-Server. I suspect an MS-Update, major-security updates are rolled out automatically here. But I don't know which one.
Have you checked your cert hasn't expired? Does it work with any other clients?
On Jan 3, 2011, at 4:40 AM, Alexandros Gougousoudis wrote:
I think since end December (after I went into the xmas holidays) the Radius-Auth stopped working.
First, I know almost nothing regarding EAP. However, I wanted to mention that many of the root certificates have been updated to 2048-bit recently. I believe that Microsoft's cutoff date for the 1024-bit root certificates was the end of December. My understanding was that this was only to affect new certificates, however, since certificates are involved in the EAP process, you may want to add this information to your investigation. Jim L.
Hi JDL, that's a good point, I didn't think about that. But it's not my problem, I have 4096 keylength. It should be ok. thx Alex JDL schrieb:
December. My understanding was that this was only to affect new certificates, however, since certificates are involved in the EAP process, you may want to add this information to your investigation.
When I have had problem in the past. (With IAS and windows Clients) A good test was always use the cert as a ssl cert and try and go tot the website to see if IE errors on the cert. Thank you Andrew Paternoster Screwloose Software S (03) 9095-7290 (03) 9095-7299 11-15 HighTech Place, Lilydale, Vic 3140 www.screwloose.com.au -----Original Message----- From: freeradius-users-bounces+andrew=screwloose.com.au@lists.freeradius.org [mailto:freeradius-users-bounces+andrew=screwloose.com.au@lists.freeradius.org] On Behalf Of Alexandros Gougousoudis Sent: Tuesday, 4 January 2011 12:12 AM To: FreeRadius users mailing list Subject: Re: No EAP/TLS with XP SP3 since End December Hi JDL, that's a good point, I didn't think about that. But it's not my problem, I have 4096 keylength. It should be ok. thx Alex JDL schrieb:
December. My understanding was that this was only to affect new certificates, however, since certificates are involved in the EAP process, you may want to add this information to your investigation.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alexandros Gougousoudis schrieb:
(after I went into the xmas holidays) the Radius-Auth stopped working. I changed nothing at the Freeradius-Server. I suspect an MS-Update, major-security updates are rolled out automatically here. But I don't know which one.
Thanks for all replies. It turned out, that neither the server nor the client was the problem. It seems we had an MTU-Problem in our MPLS-VPN, which corrupted the conversation between Authenticator and Radius-Server. Our provider fixed it and since then I have again no problems with Radius. Most other services in the net worked, some not, so I got suspicous and asked our MPLS provider. Ubuntu worked because the Client, Authenticator and Server were alltogether in the same LAN (in that segment we have no Windows). It was a good riddle for the new year, can I have another one? :-) Good thing is, that I started to use FreeRadius 2.10 on Lenny for testing. :-) ciao Dros
participants (5)
-
Alan DeKok -
Alexandros Gougousoudis -
Andrew Paternoster -
JDL -
Phil Mayers