Re: EAP TLS testing using eapol_test
Hi Alan Thanks for the reply. The client certificates are made by using "make client.pem" command. This is the should create the certificates signed by the server certificate of Freeradius. Since the root CA is same for both Freeradius and eapol_test, I am not sure what is going wrong, do you think it could be the eapol config? I will paste it here again. network={ ssid="1x-test" key_mgmt=WPA-EAP eap=TLS identity="user@example.com" ca_cert="/usr/local/etc/raddb/certs/ca.pem" (even tried with server.pem as CA) client_cert="/usr/local/etc/raddb/certs/user@example.com.pem<http://lists.freeradius.org/mailman/listinfo/freeradius-users> " private_key="/usr/local/etc/raddb/certs/client.key" private_key_passwd="whatever" eapol_flags=3 } Thanks Naunidh On Thu, May 22, 2008 at 10:56 PM, < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: EAP TLS testing using eapol_test (Alan DeKok) 2. Re: Need to understand flow (Alan DeKok) 3. Re: radius x509 authentication + LDAP ? (Alan DeKok) 4. Re: Need to understand flow (Tuc at T-B-O-H.NET <http://t-b-o-h.net/> ) 5. Re : Dynamic VLAN and FreeRadius (Joel MBA OYONE) 6. Re: Re : Dynamic VLAN and FreeRadius (Joe Vieira) 7. Re : Re : Dynamic VLAN and FreeRadius (Joel MBA OYONE)
----------------------------------------------------------------------
Message: 1 Date: Thu, 22 May 2008 17:06:03 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: EAP TLS testing using eapol_test To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <48358BDB.1040506@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Naunidh S Chadha wrote: ...
Wed May 21 19:31:19 2008 : *Error: --> verify error:num=20:unable to get local issuer certificate* Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
The certificate supplied by the client was not signed by a CA that FreeRADIUS recognises.
Alan DeKok.
------------------------------
Message: 2 Date: Thu, 22 May 2008 17:08:54 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Need to understand flow To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <48358C86.8030309@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Tuc at T-B-O-H.NET <http://t-b-o-h.net/> wrote:
I'm having to write my own validation and accounting for a device,
Don't. Please. There are a number of RADIUS libraries available, including freeradius-client, on freeradius.org. It's supported, it works, and it's in use by a number of products.
and I need to understand a little about the flow. Is there a good reference for this? I don't have to support much, basically user/pass authentication, updating accounting, timeout, logoff.
See the RFC's.
I believe I next need to send an accounting_start packet. Some of the items I'm not sure where they come from (Acct-Session-Id, Acct-Unique-Session-Id) or how they might be generated.
This is not a mailing list for general RADIUS questions. The RFC's exist. Please read them.
If you're doing this for a customer, you're getting paid. Don't expect anyone here to help you (for free) to create your product that has nothing to do with FreeRADIUS.
Alan DeKok.
------------------------------
Message: 3 Date: Thu, 22 May 2008 17:10:07 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: radius x509 authentication + LDAP ? To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <48358CCF.9000701@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Riccardo Veraldi wrote:
After authentication I would like to chack the common name or email address propertires of te certificate againsta LDAP, to authorize the user connection.
It comes in the User-Name attribute.
is it possible to do this ? I tyed but it seems not working in my configuration. any hints ?
Give us more information?
Q: Hi, I tried to do stuff, but it didn't work. How do I fix it? A: Uh... your guess is as good as mine.
Alan DeKok.
------------------------------
Message: 4 Date: Thu, 22 May 2008 11:37:27 -0400 (EDT) From: "Tuc at T-B-O-H.NET <http://t-b-o-h.net/>" <ml@t-b-o-h.net> Subject: Re: Need to understand flow To: freeradius-users@lists.freeradius.org Message-ID: <200805221537.m4MFbRmn039038@himinbjorg.tucs-beachin-obx-house.com> Content-Type: text/plain; charset=us-ascii
I'm having to write my own validation and accounting for a device,
Don't. Please. There are a number of RADIUS libraries available, including freeradius-client, on freeradius.org. It's supported, it works, and it's in use by a number of products.
I have no issue using a library. Right now I'm working with Net::Radius. But to use it I need to understand the flow since it only seems to be able to assemble and disassemble the packets, not tell me how to do it.
and I need to understand a little about the flow. Is there a good
reference
for this? I don't have to support much, basically user/pass authentication, updating accounting, timeout, logoff.
See the RFC's.
Ok. I was hoping for something more than RFC's, but if thats the starting point, off I'll go.
I believe I next need to send an accounting_start packet. Some of the items I'm not sure where they come from (Acct-Session-Id, Acct-Unique-Session-Id) or how they might be generated.
This is not a mailing list for general RADIUS questions. The RFC's exist. Please read them.
Jawol.
If you're doing this for a customer, you're getting paid. Don't expect anyone here to help you (for free) to create your product that has nothing to do with FreeRADIUS.
Actually, no, I'm not doing this for a customer. I'm doing it for an OpenSource/Sourceforge project, but I really appreciate your support in it all.
Tuc
------------------------------
Message: 5 Date: Thu, 22 May 2008 15:49:50 +0000 (GMT) From: Joel MBA OYONE <mba_oyone@yahoo.fr> Subject: Re : Dynamic VLAN and FreeRadius To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <994857.8869.qm@web26108.mail.ukl.yahoo.com> Content-Type: text/plain; charset="utf-8"
Alan,
I possess a device from D-Link (DWS-3024). it is a wireless switch controler, and the documentation says that: - One SSID has to be affect to one VLAN on the profile. - An Access point could be configured with up to 8 ifferent SSIDs and it is possible to affect each SSID on its own network (below is a link which show you the config page) or all SSID on the same network. maybe i didn't read it correctly, so here is the link (see page 89-90 and maybe 91 too.): ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf
i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will receive the same profile, and the profile will have 3 differents SSIDS with diffrents security access levels and network from the wireless switch.
for example, in the same room, associated to the same AP, students and teachers will connect to diffrent SSIDs coming from that same AP, and some will have to athenticate via EAP-PEAP, other will require EAP-TLS.
this other short file explain point to point what is my config and waht i am trying to do: ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf read it and maybe you could understand me.
regards
Joel MBA OYONE wrote:
No. VLAN assignment is after SSID association, and after 802.1x authentication.
OK, is it possible to associate in SSID_1 and be assigned to a different VLAN than the we are associated in ?
That doesn't make sense. SSID's aren't tied to VLANs, unless you configure them that way.
(exemple, when i am associated to SSID_1, which belongs to VLAN100,
No... SSID's have nothing to do with VLAN's.
RADIUS sends me "Tunnel-Private-Group-ID = 200", which belongs to another SSID, what would happen and would authentication process success?)
Read your NAS documentation to see how to do VLAN assignment, and how it interacts with SSID's.
- if i am assigned to another couple of SSID/VLAN than the one i am connected now by RADIUS, would authentication process restart at the beginning?
Stop talking about "SSID/VLAN". They are separate things.
When you do VLAN assignment with RADIUS, you do NOT need to re-authenticate.
- is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of 802.1x when RADIUS is the authentication Server for a supplicant?
What does that mean?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicit?s http://mail.yahoo.fr Yahoo! Mail
participants (1)
-
Naunidh S Chadha