Eshun Benjamin wrote:
Hello Arran, Which specific OID? I also think it has to do with the certificate. Could you please be specific if possible with example. I trried to use another certificate and I am getting 2 issues; 1. is before access challenge ;
Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: EAP packet type response id 2 length 192 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Wed Apr 4 21:33:09 2007 : Debug: users: Matched entry DEFAULT at line 225 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "files" returns ok for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling etc_smbpasswd (rlm_passwd) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added LM-Password: '739EA6CD54DF1680AAD3B435B51404EE' to config_items Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added NT-Password: 'F138C6624B18D0E17EA9630C746A8202' to config_items Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items Wed Apr 4 21:33:09 2007 : Info: rlm_passwd: Adding "Auth-Type = MS-CHAP" Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from etc_smbpasswd (rlm_passwd) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "etc_smbpasswd" returns ok for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Normalizing LM-Password from hex encoding Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Normalizing NT-Password from hex encoding Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "pap" returns noop for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall: leaving group authorize (returns updated) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rad_check_password: Found Auth-Type EAP Wed Apr 4 21:33:09 2007 : Debug: auth: type "EAP" Wed Apr 4 21:33:09 2007 : Debug: Processing the authenticate section of radiusd.conf Wed Apr 4 21:33:09 2007 : Debug: modcall: entering group authenticate for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: Request found, released from the list Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: EAP/peap Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: processing type peap Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_peap: Authenticate Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: processing TLS Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: Length Included Wed Apr 4 21:33:09 2007 : Debug: eaptls_verify returned 11 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 read client key exchange A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 read finished A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 write change cipher spec A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 write finished A Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 flush data Wed Apr 4 21:33:09 2007 : Debug: (other): SSL negotiation finished successfully Wed Apr 4 21:33:09 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Wed Apr 4 21:33:09 2007 : Debug: SSL Connection Established Wed Apr 4 21:33:09 2007 : Debug: eaptls_process returned 13 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED Wed Apr 4 21:33:09 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authenticate]: module "eap" returns handled for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall: leaving group authenticate (returns handled) for request 2
2. Then during access challenge; some access denied errors.
Wed Apr 4 21:21:48 2007 : Debug: eaptls_verify returned 11 Wed Apr 4 21:21:48 2007 : Debug: eaptls_process returned 7 Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_peap: EAPTLS_OK Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied Wed Apr 4 21:21:48 2007 : Error: TLS Alert read:fatal:access denied Wed Apr 4 21:21:48 2007 : Info: rlm_eap_peap: No data inside of the tunnel. Wed Apr 4 21:21:48 2007 : Debug: rlm_eap: Handler failed in EAP/peap Wed Apr 4 21:21:48 2007 : Debug: rlm_eap: Failed in EAP select Wed Apr 4 21:21:48 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 11 Wed Apr 4 21:21:48 2007 : Debug: modcall[authenticate]: module "eap" returns invalid for request 11 Wed Apr 4 21:21:48 2007 : Debug: modcall: leaving group authenticate (returns invalid) for request 11 Wed Apr 4 21:21:48 2007 : Debug: auth: Failed to validate the user. Wed Apr 4 21:21:48 2007 : Debug: Delaying request 11 for 1 seconds Wed Apr 4 21:21:48 2007 : Debug: Finished request 11 Wed Apr 4 21:21:48 2007 : Debug: Going to the next request Wed Apr 4 21:21:48 2007 : Debug: rl_next: returning NULL Wed Apr 4 21:21:48 2007 : Debug: Waking up in 6 seconds... Wed Apr 4 21:21:54 2007 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.5.26 port 2048
==================================================
Benjamin K. Eshun
----- Message d'origine ---- De : Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Envoyé le : Mercredi, 4 Avril 2007, 19h51mn 45s Objet : Re: EAP/TTLS PEAP MSCHAP
Eshun Benjamin wrote:
Mac connects but ms windows does not. I am doing server side cert. Error from ms windows.
User-Name = "testgeneral" NAS-IP-Address = 10.1.5.26 Called-Station-Id = "0016014d9158" Calling-Station-Id = "0019e3034ceb" NAS-Identifier = "0016014d9158" NAS-Port = 36 Framed-MTU = 1400 State = 0x3d946123f5f422f576bed1eb52863e55 NAS-Port-Type = Wireless-802.11 EAP-Message =
0x0202005019800000004616030100410100003d030146139aedbfdec7d57168bf7fdbe984cfd19f5d1e7c13ee839e4b0a55d34aa86600001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x3efce19c566f372e8744589f65d58401 Wed Apr 4 14:32:48 2007 : Debug: Processing the authorize section of radiusd.conf Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authorize for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No '@' in User-Name = "testgeneral", looking up realm NULL Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No such realm "NULL" Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP packet type response id 2 length 80 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 74 Wed Apr 4 14:32:48 2007 : Debug: users: Matched entry testgeneral at line 216 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "files" returns ok for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling etc_smbpasswd (rlm_passwd) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from etc_smbpasswd (rlm_passwd) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "etc_smbpasswd" returns notfound for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "pap" returns noop for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authorize (returns updated) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rad_check_password: Found Auth-Type EAP Wed Apr 4 14:32:48 2007 : Debug: auth: type "EAP" Wed Apr 4 14:32:48 2007 : Debug: Processing the authenticate section of radiusd.conf Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authenticate for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: Request found, released from the list Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP/peap Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: processing type peap Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: Authenticate Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: processing TLS Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: Length Included Wed Apr 4 14:32:48 2007 : Debug: eaptls_verify returned 11 Wed Apr 4 14:32:48 2007 : Debug: (other): before/accept initialization Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: before/accept initialization Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 read client hello A Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 write server hello A Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 038f], Certificate Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 write certificate A Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 write server done A Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 flush data Wed Apr 4 14:32:48 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Apr 4 14:32:48 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Wed Apr 4 14:32:48 2007 : Debug: In SSL Handshake Phase Wed Apr 4 14:32:48 2007 : Debug: In SSL Accept mode Wed Apr 4 14:32:48 2007 : Debug: eaptls_process returned 13 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authenticate]: module "eap" returns handled for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authenticate (returns handled) for request 74 Sending Access-Challenge of id 0 to 10.1.5.26 port 2048 EAP-Message =
0x010303f21900160301004a02000046030146139af0c3e704b47f4b6b436a8b07d916c60b21a951af6c2918a39cadca6aa22013971c62e79c9f9f6e232f6d035b7705438843f46c8e38f788750500db6621bf000400160301038f0b00038b00038800038530820381308202eaa003020102020900e8e427c494215d09300d06092a864886f70d0101050500308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a86
EAP-Message =
0x4886f70d010901161061646d696e406d70692d6362672e6465301e170d3037303332343131313731395a170d3130303332333131313731395a308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a864886f70d010901161061646d696e406d70692d6362672e646530819f300d06092a864886f70d010101050003818d0030818902818100ac1158639bcdf711751f54bdf25c666d6f3a532967a7cba624a5167b
EAP-Message =
0xfb5c89d5a3f9d86fe9a7a2b0899925a4373725bed9eb20d41f05019541ee096201bb57b8f01646ac62884f36d54ea32620a11c760e769ace49d8d7dc42b3ba35c6d410b2fddbc2d689536f66646e94f594b516cb5b312f96f562529bcd7015540fd2be7d0203010001a381f03081ed301d0603551d0e041604141acd4d6d72dc026df7d0a5e77ea636e2c9bcfd4f3081bd0603551d230481b53081b280141acd4d6d72dc026df7d0a5e77ea636e2c9bcfd4fa1818ea4818b308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342
EAP-Message =
0x473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a864886f70d010901161061646d696e406d70692d6362672e6465820900e8e427c494215d09300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009e5e89fa8a5e26ce9710bfde499a2b36d412f5acff40b544eec4839a67b768e6a778a5b8d54c8ad8b3ec8f438e96e0740103cbdb3e64c751e722e2c3538dccac3a993b94824ba4e48ba40ebc5c7b37c5c6048616f3b10d7f3d4b23cd84cd1e3e4b318e75d4fcd637ee1b5f263cd4adb006a80f62639825f6fb1a284e254a89be16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4e138cc588a831123b8c899c1e03c4fc Wed Apr 4 14:32:48 2007 : Debug: Finished request 74 Wed Apr 4 14:32:48 2007 : Debug: Going to the next request Wed Apr 4 14:32:48 2007 : Debug: rl_next: returning NULL Wed Apr 4 14:32:48 2007 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.5.26:2048, id=0,
length=143
User-Name = "testgeneral" NAS-IP-Address = 10.1.5.26 Called-Station-Id = "0016014d9158" Calling-Station-Id = "0019e3034ceb" NAS-Identifier = "0016014d9158" NAS-Port = 36 Framed-MTU = 1400 State = 0x4e138cc588a831123b8c899c1e03c4fc NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xf89ebcfef5ea8e2a15b9fc63884890df Wed Apr 4 14:32:48 2007 : Debug: Processing the authorize section of radiusd.conf Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authorize for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 75 Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No '@' in User-Name = "testgeneral", looking up realm NULL Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No such realm "NULL" Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 75 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP packet type response id 3 length 6 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 75 Wed Apr 4 14:32:48 2007 : Debug: users: Matched entry testgeneral at line 216 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "files" returns ok for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling etc_smbpasswd (rlm_passwd) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from etc_smbpasswd (rlm_passwd) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "etc_smbpasswd" returns notfound for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 75 Wed Apr 4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "pap" returns noop for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authorize (returns updated) for request 75 Wed Apr 4 14:32:48 2007 : Debug: rad_check_password: Found Auth-Type EAP Wed Apr 4 14:32:48 2007 : Debug: auth: type "EAP" Wed Apr 4 14:32:48 2007 : Debug: Processing the authenticate section of radiusd.conf Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authenticate for request 75 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 75 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: Request found, released from the list Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP/peap Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: processing type peap Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: Authenticate Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: processing TLS Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: Received EAP-TLS ACK message Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: ack handshake fragment handler Wed Apr 4 14:32:48 2007 : Debug: eaptls_verify returned 1 Wed Apr 4 14:32:48 2007 : Debug: eaptls_process returned 13 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall[authenticate]: module "eap" returns handled for request 75 Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authenticate (returns handled) for request 75
==================================================
Benjamin K. Eshun
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com>. ------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html Your sever side certificate needs to have special OIDS, which the peap section of the eap.conf file warns you about. Windows will check that these OIDS are present in the certificate sent from the server, if they are not it will fail silently.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com>. Ok, your trying to do EAP-TLS ?
Looks like the client side is ok. Wed Apr 4 21:33:09 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Wed Apr 4 21:33:09 2007 : Debug: SSL Connection Established I don't think that error is actually an error, note the lack of an error location ... But could someone please confirm this ... Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied Wed Apr 4 21:21:48 2007 : Error: TLS Alert read:fatal:access denied Wed Apr 4 21:21:48 2007 : Info: rlm_eap_peap: No data inside of the tunnel. This however is an error. This would be where windows is rejecting the server side certificate and so TLS negotiation is failing. I'm currently in the same situation, trying to generate a certificate with openssl containing the correct OID (object identifier) . According to the microsoft support article (http://support.microsoft.com/kb/814394/en-us) "The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1." But I have no idea how to add it to the certificate, if you find out please let me know :) Thanks, Arran
On Wed, 2007-04-04 at 20:58 +0100, Arran Cudbard-Bell wrote:
According to the microsoft support article (http://support.microsoft.com/kb/814394/en-us)
"The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1."
But I have no idea how to add it to the certificate, if you find out please let me know :)
Check out this article: http://www.linuxjournal.com/article/8095 It explains how to get the MS attributes into the certificates. Hope this helps. -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
Ian Truelsen wrote:
On Wed, 2007-04-04 at 20:58 +0100, Arran Cudbard-Bell wrote:
According to the microsoft support article (http://support.microsoft.com/kb/814394/en-us)
"The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1."
But I have no idea how to add it to the certificate, if you find out please let me know :)
Check out this article:
http://www.linuxjournal.com/article/8095
It explains how to get the MS attributes into the certificates.
Hope this helps.
Excellent, thanks, just what I was looking for :) Is it really just as simple as creating the certificate, signing it with the right extensions, installing the proper rootCA on the windows machines , and configuring the windows supplicant correctly ? Which would be In authentication tab Enable IEEE 802.1x authentication for this network Setting EAP Type to PEAP In properties Validate server certificate Authentication method EAP-MSCHAP v2 Checking the Root CA the certificate was signed with . In Configure Automatically use my windows logo name and password unchecked. Or are there more weird windows things ? Gah... never appreciated Mac OSX so much. "oo looks like your connecting to an 802.11x network , please enter your username and password, hmm you havent chosen to explicitly trust this certificate would you like to ? .... Connected!"..... "and now i'm going to save your username and password in the keychain so you'll never have to go through this amazingly simple process ever again". --- Arran
On Wed, 2007-04-04 at 22:16 +0100, Arran Cudbard-Bell wrote:
Is it really just as simple as creating the certificate, signing it with the right extensions, installing the proper rootCA on the windows machines , and configuring the windows supplicant correctly ?
Pretty much. As long as you have the proper IP address for the AP in your clients.conf, which was my particular stupidity :) Still, it seems to work for me.
Which would be
In authentication tab Enable IEEE 802.1x authentication for this network Setting EAP Type to PEAP
In properties Validate server certificate Authentication method EAP-MSCHAP v2 Checking the Root CA the certificate was signed with .
In Configure Automatically use my windows logo name and password unchecked.
I am using both client and server certificates, so the logon and password is not currently needed -- for me. -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
Pretty much. As long as you have the proper IP address for the AP in your clients.conf, which was my particular stupidity :) Still, it seems to work for me.
Hehe, yeah same for me first time round ! Now it's all done via sql with a modified version of 1.1.5 to allow user NAS queries :)
I am using both client and server certificates, so the logon and password is not currently needed -- for me Eeek , yes not such a good solution in our case, certificate management for 10,000 very sleepy students .... not fun :)
Hi I'm quite new to Freeradius and EAP. I'm currently trying to test out EAP TTLS between Free radius and Cisco AP 1200 and a EAP client. Is it possibe to use test server certificates to do this? Does anyone have a sample configuration of Freeradius to do this? Rgds Andrea
Andrea.Boo@nokia.com wrote:
I'm quite new to Freeradius and EAP. I'm currently trying to test out EAP TTLS between Free radius and Cisco AP 1200 and a EAP client. Is it possibe to use test server certificates to do this?
Yes.
Does anyone have a sample configuration of Freeradius to do this?
The default configuration includes comments explaining how to get EAP to work. See the Wiki, too. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi I have just install the package of freeradius using "yum" which is available for fedora 6. However, I found that the demo cert in the server for EAP is expired and can't be installed on my client. I'm trying to generate a new cert by using the script cert.sh. However, it seems that the package does not come with such a script. Am I able to download this from somewhere so that I can generate new sets of certifcates? Rgds Andrea
I downloaded the latest FR, compiled but didnt install then used the script to generate the needed certs, worked fine. On 4/13/07, Andrea.Boo@nokia.com <Andrea.Boo@nokia.com> wrote:
Hi
I have just install the package of freeradius using "yum" which is available for fedora 6. However, I found that the demo cert in the server for EAP is expired and can't be installed on my client. I'm trying to generate a new cert by using the script cert.sh. However, it seems that the package does not come with such a script. Am I able to download this from somewhere so that I can generate new sets of certifcates?
Rgds Andrea
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Andrea.Boo@nokia.com -
Arran Cudbard-Bell -
Ian Truelsen -
Jacob Jarick