Here is the result of my first attempt. I added a Pukey-EAP entry in the LDAP tree but it didn't do much good. And I can't tell whats the matter with my CA. rad_recv: Access-Request packet from host 192.168.0.250:1110, id=8, length=159 User-Name = "Pukey-EAP" Cisco-AVPair = "ssid=Pukey-EAP" NAS-IP-Address = 192.168.0.250 Called-Station-Id = "004096285ceb" Calling-Station-Id = "00095b679ccf" NAS-Identifier = "AP340-285ceb" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x020d000e0150756b65792d454150 Message-Authenticator = 0xebe4683da315ee95109c4736a19a37cd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for Pukey-EAP radius_xlat: '(uid=Pukey-EAP)' radius_xlat: 'dc=pukey' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=pukey, with filter (uid=Pukey-EAP) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "Pukey-EAP", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "Pukey-EAP" rlm_realm: Proxying request from user Pukey-EAP to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 13 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 8 to 192.168.0.250 port 1110 EAP-Message = 0x010e00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5a40fabb5846577f6543672d9313801 Finished request 7 Going to the next request Here is my /etc/xsupplicant.conf network_list = all default_netname = Pukey-EAP Pukey-EAP { type = wireless allow_types = eap_peap identity = Pukey-EAP eap-peap { random_file = /dev/urandom root_cert = /etc/raddb/certs/root.pem chunk_size = 1398 allow_types = eap_mschapv2 eap-mschapv2 { username = User password = Password } } } I've created a SSID called Pukey-EAP it requires EAP.
Evan Vittitow wrote:
Here is the result of my first attempt. I added a Pukey-EAP entry in the LDAP tree but it didn't do much good. And I can't tell whats the matter with my CA.
You have configured your LDAP tree to contain either the plaintext password or NT/LM hashes, yes? And configured FreeRadius to extract those from LDAP?
rad_recv: Access-Request packet from host 192.168.0.250:1110, id=8, length=159 User-Name = "Pukey-EAP" Cisco-AVPair = "ssid=Pukey-EAP" NAS-IP-Address = 192.168.0.250 Called-Station-Id = "004096285ceb" Calling-Station-Id = "00095b679ccf" NAS-Identifier = "AP340-285ceb" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x020d000e0150756b65792d454150 Message-Authenticator = 0xebe4683da315ee95109c4736a19a37cd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for Pukey-EAP radius_xlat: '(uid=Pukey-EAP)' radius_xlat: 'dc=pukey' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=pukey, with filter (uid=Pukey-EAP) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed
Your LDAP entry was not found. Your LDAP search configuration is not correct, or the entry you added does not match the filter.
rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "Pukey-EAP", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "Pukey-EAP" rlm_realm: Proxying request from user Pukey-EAP to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 13 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 8 to 192.168.0.250 port 1110 EAP-Message = 0x010e00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5a40fabb5846577f6543672d9313801 Finished request 7 Going to the next request
If that's where it stops, the problem lies at the client. The radius server has started an EAP-TLS conversation - did you change the default EAP type in the "eap.conf" in FreeRadius.
Here is my /etc/xsupplicant.conf
network_list = all default_netname = Pukey-EAP
Pukey-EAP { type = wireless allow_types = eap_peap identity = Pukey-EAP eap-peap { random_file = /dev/urandom root_cert = /etc/raddb/certs/root.pem chunk_size = 1398 allow_types = eap_mschapv2 eap-mschapv2 { username = User password = Password } } }
I've created a SSID called Pukey-EAP it requires EAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think a large part of my problem is the creation of a Certificate authority. This will get a little Hypothetical so let me lay a few facts out on the table. Mandriva 2007 discontinues CA.sh in favor of CA.pl Certificates as far as I know, at least the demo certs are in /etc/pki/tls - not /usr/lib/ssl Its very possible, that said Certificate authority for Radius could hypothetically be used layer for IPSec. This being the case, what would the best strategy be for implementing a PKI CA. Should I make one Cert for every host? One server host and one client Cert for all hosts? Different CAs for different Services? How will Mandriva's architecture change affect this?
Evan Vittitow wrote:
I think a large part of my problem is the creation of a Certificate authority.
Why? See the various 802.1x howto's (pointed to from freeradius.org & the wiki) for how to create certificates for the server.
Its very possible, that said Certificate authority for Radius could hypothetically be used layer for IPSec. This being the case, what would the best strategy be for implementing a PKI CA. Should I make one Cert for every host? One server host and one client Cert for all hosts? Different CAs for different Services? How will Mandriva's architecture change affect this?
You want one certificate for the RADIUS server. For most RADIUS situations, this is enough. And that certificate shouldn't be used for anything else. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Evan Vittitow wrote:
I think a large part of my problem is the creation of a Certificate authority.
Why? See the various 802.1x howto's (pointed to from freeradius.org & the wiki) for how to create certificates for the server.
Its very possible, that said Certificate authority for Radius could hypothetically be used layer for IPSec. This being the case, what would the best strategy be for implementing a PKI CA. Should I make one Cert for every host? One server host and one client Cert for all hosts? Different CAs for different Services? How will Mandriva's architecture change affect this?
You want one certificate for the RADIUS server. For most RADIUS situations, this is enough. And that certificate shouldn't be used for anything else.
What do I give the xsupplicant clients?
Evan Vittitow wrote:
Alan DeKok wrote:
Evan Vittitow wrote:
I think a large part of my problem is the creation of a Certificate authority.
Why? See the various 802.1x howto's (pointed to from freeradius.org & the wiki) for how to create certificates for the server.
Its very possible, that said Certificate authority for Radius could hypothetically be used layer for IPSec. This being the case, what would the best strategy be for implementing a PKI CA. Should I make one Cert for every host? One server host and one client Cert for all hosts? Different CAs for different Services? How will Mandriva's architecture change affect this?
You want one certificate for the RADIUS server. For most RADIUS situations, this is enough. And that certificate shouldn't be used for anything else.
What do I give the xsupplicant clients?
A username and password, and optionally the CA cert so they can "trust" the radius server cert.
I keep getting this. I have been following documentation.
A username and password, and optionally the CA cert so they can "trust" the radius server cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rlm_eap: SSL error error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch rlm_eap_tls: Error reading private key file
http://wiki.freeradius.org/WPA_HOWTO#Script_Listings This is my documentation.
participants (3)
-
Alan DeKok -
Evan Vittitow -
Phil Mayers