802.1x on Active Directory: no errors in debug but auth fails
Hi, I'm trying to setup Freeradius2 (2.1.7-7) on Red Hat 5.5 to authenticate Windows 802.1x clients on the LAN by Active Directory. Network switches are HP Procurve 2610. I followed: http://deployingradius.com/documents/configuration/active_directory.html tutorial without any difficulty but PC is unable to authenticate even if I'm not able to see any error in "radiusd -X" output: ##################################################################### FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Dec 30 2009 at 13:47:58 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client sw-test { require_message_authenticator = no secret = "thankyou" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-PITAGORA} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=PITAGORA --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=46, length=242 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" EAP-Message = 0x020100210150495441474f52415c6769616e6672616e636f2e63617264696c6c6f Message-Authenticator = 0x23fccd425e446ea9cb372d952782d4ba +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 46 to 10.63.1.207 port 1025 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x0102001604100ad511f05f27d9673a2f4aa87ec6f29b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2c2310a9b10e022abbe73f133 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=47, length=233 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" State = 0xc2330ef2c2310a9b10e022abbe73f133 EAP-Message = 0x020200060319 Message-Authenticator = 0x1433cd9351165311cf6481b2598a2900 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 47 to 10.63.1.207 port 1025 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2c330179b10e022abbe73f133 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=48, length=314 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" State = 0xc2330ef2c330179b10e022abbe73f133 EAP-Message = 0x0203005719800000004d16030100480100004403014d4fd13cf2eeeab2afebcd0bac01461a f387fed3654bc64abb3342e273f4cab700001600040005000a00090064006200030006001300 12006301000005ff01000100 Message-Authenticator = 0x04a5713d3acefa6a14589feb04cf1fe5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 48 to 10.63.1.207 port 1025 EAP-Message = 0x0104040019c0000008a216030100310200002d03014d4fd13cc78072b7ad2723a076a86ca1 dcc8644ef4fd8c062bd543bda538c7fc000004000005ff01000100160301085e0b00085a0008 570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193 310b3009060355040613024652310f300d060355040813065261646975733112301006035504 071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e312030 1e06092a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355 0403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303230343134333331345a170d3132303230343134333331 345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013 060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c6520 5365727665722043657274696669636174653120301e06092a864886f70d010901161161646d 696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f00 3082010a0282010100ea55617b68e9f5afb5bda1ccdc3a6bdab724c33edcb047875e2e035dc5 7e07efe2becbdde3f8c77445f0cb61da0a7360e8eabc52c2e909 EAP-Message = 0x982ce71d51aed0cad56be3067d0583d34a62dc33d1265ffada76166d572ce71551697e5395 e0bca3b197ae0003a9afe9c89c55c6a935e267beecb1a28d17a044c932761b9dc28799bcfd92 50ec5f9ed92ee00383e591823bae32f15e1bf33728817b26c51712099afb931166ff2c40d266 e9dbfb6ed6d516bf55c957f49713981e48c578bd0d9450c10bce8173173837d408212e49c386 2f84a2d6ead9b894e2bcdc76f20ac3c9221fe60038fda32c3f3f9e085f721dc1bf87617d1378 4a7c5faec678798a42a173af0203010001a317301530130603551d25040c300a06082b060105 05070301300d06092a864886f70d01010405000382010100bfb1 EAP-Message = 0x34afa9e780cce028160fdbf6426edcd838712aa615cda0542ce21e7b51b72a2a11a5f35740 e1b37f604ad87f825888490576ac0adefb5cde9b49be770f8889a776b1e3c1fcec196080fbc1 f7005961dd91ba29f7a4f79714a43c6a198da71b59d9d74bb644d33df3c762597d635d3fb79b e17cbd95ae7a8fe74cbb4cbf44ad0d6f6a322923f161e48382b2546cc97ff0b608424cfbcd60 91483f08831dc63bb6352d124f66a37b8bbd9ee2f16442c123462dee541f0cd5a77f011a7c60 77134aad0bfabebafde4d4bbeb721fb0e3a10725260e9584a3e621286a7ed7cb7f00668b87e9 37a54805e4fe0b09993b30693725b0f85f187e5fc6626aa62984 EAP-Message = 0x8f0004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2c037179b10e022abbe73f133 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=49, length=233 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" State = 0xc2330ef2c037179b10e022abbe73f133 EAP-Message = 0x020400061900 Message-Authenticator = 0x03ea01b263bdcbb60dcbc6ca9e56f829 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 49 to 10.63.1.207 port 1025 EAP-Message = 0x010503fc1940a003020102020900cbfbb3c6e6eac293300d06092a864886f70d0101050500 308193310b3009060355040613024652310f300d060355040813065261646975733112301006 035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e 3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d31263024 0603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e 170d3131303230343134333331345a170d3132303230343134333331345a308193310b300906 0355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65 20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f 6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72 69747930820122300d06092a864886f70d01010105000382010f003082010a0282010100f09f 04293b15c3fbc1cd487f7e8c2672e6ed9b3f2076497505fcbca6ae04bb1a28a3f71836569feb 0f993d069adf937a3c85171558868dee233085f11f2f749efaa2dd25693d4c8bb36b4c49ecae 5c61d949db07a3520fc38f13908254be3b2d9b75357e130b60b3 EAP-Message = 0x154e657206dfdc54bce402c1786dee6934211b4c40fa5976c6def1794d0b239a509cdf7beb 96bb560fa7ffb595626676db99d8d46ad9baa14beb797bbeb2a40bd823e31515dcf97843f821 43780c76238000bacc252381e46118aba2048529df1de0a840bf3bf649104b0800bd1d2f4bc9 08421cccdc648783d3392045c90a0e3fe023e2d66afa9d1e9dfd130bf99a5437511bf7606629 e90203010001a381fb3081f8301d0603551d0e041604142fad8e1834baf2c00ff7a992e1ac5f f2a59c840a3081c80603551d230481c03081bd80142fad8e1834baf2c00ff7a992e1ac5ff2a5 9c840aa18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531 153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01090116 1161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043 6572746966696361746520417574686f72697479820900cbfbb3c6e6eac293300c0603551d13 040530030101ff300d06092a864886f70d01010505000382010100324abb2820dac845e24553 75ecb04b30eaa4430dd010afea712210be69f74e194e4a06eeb2fffc584ef62549b0751eeb80 5f64ac9f6a3e31c5703dc7e0d53b670215dd7731c9cc2ca45bde EAP-Message = 0x50458bff45c56032 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2c136179b10e022abbe73f133 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=50, length=233 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" State = 0xc2330ef2c136179b10e022abbe73f133 EAP-Message = 0x020500061900 Message-Authenticator = 0x737833619f69c6a5a575256d21bd42d6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 50 to 10.63.1.207 port 1025 EAP-Message = 0x010600bc1900ddb966ad449ebce7845bd0ae07480e65bea3e8ea663b5e63a7611dcaf8a7c0 846188c452db0cf8e0ef66c0e43f953dd2ed2b8e87682cd1315c717c80e4fab9855f30cd20ea 93f250fb30d75fff92212902209b8debc5f3083e50740f5fa92e24c053893f86f3688e113ef1 1c609f6536860396bb10842f6345d4c4abbea751aa0655f7a2def230abcefa504fac484df327 65271397e546271e2dbd4f8bfa26c5d83d7c74df6f01440a6a2f4f9816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2c635179b10e022abbe73f133 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=51, length=549 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" State = 0xc2330ef2c635179b10e022abbe73f133 EAP-Message = 0x02060140198000000136160301010610000102010013a4a5cfa0977e0775057b68fa525204 043b1eb0bc219d09f048fe6d63e032aa3ac386d0383ebddbb468498ab5efb55714eaddc7681b 7ecd1eb9c6561a094cc52aed59125ce5ff1150671baec79edc87eec83138fbe4ce3a64f49fd9 e76554acdae5a127cbd4164b568c60c20a682220e3cb9dc68b46a455cccaa247a609f01a134c 8f1fd66975dad840ff3c7b040defd618918c73da49f561a857a3177682e27fc67c940261251d 9d8c725eb70e45eaaf79fc898f9f8efa8162011d0bca0212b4aff0ea8ca6e3b3796e490a84e7 efbf0d8db98c70c9e2d70dae38ba5ed6411e2a946fb9aae29033 EAP-Message = 0x465b5a926f959280200fe13d2dae18498f78c53798248f9914030100010116030100207dc5 1c2e15af596e0698dd6108a1aa3d0fcea328015ba5354de641c979dc2020 Message-Authenticator = 0x16550f99a63143672ac90b00dbd3114b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 51 to 10.63.1.207 port 1025 EAP-Message = 0x01070031190014030100010116030100205ade2f3e33e8685e52df75423f2473025edd9c2f cf68c03232281c39f616dca1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2c734179b10e022abbe73f133 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=52, length=233 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" State = 0xc2330ef2c734179b10e022abbe73f133 EAP-Message = 0x020700061900 Message-Authenticator = 0x26998eddde82022fa49c43d7b4ebb76a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 52 to 10.63.1.207 port 1025 EAP-Message = 0x01080020190017030100154b7b5dd4c4f406c163805dec8c21607a8babdad020 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2c43b179b10e022abbe73f133 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=53, length=283 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" State = 0xc2330ef2c43b179b10e022abbe73f133 EAP-Message = 0x020800381900170301002d089df87f8e1e5987ef1792c8925e1194dc3b9a7d372f23a69484 fb4dffcfac64811aae3e366003e7f13d79d7a3 Message-Authenticator = 0xa585cf547907140181f7b8426dca155e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 56 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - PITAGORA\testuser [peap] Got tunneled request EAP-Message = 0x020800210150495441474f52415c6769616e6672616e636f2e63617264696c6c6f server { PEAP: Got tunneled identity of PITAGORA\testuser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to PITAGORA\testuser Sending tunneled request EAP-Message = 0x020800210150495441474f52415c6769616e6672616e636f2e63617264696c6c6f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "PITAGORA\\testuser" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900361a010900311014d6c9e2f9cb4a58554df2cb29adb0a950495441474f52415c6769 616e6672616e636f2e63617264696c6c6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37523e80375b245973dcd634f3fc6f7a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900361a010900311014d6c9e2f9cb4a58554df2cb29adb0a950495441474f52415c6769 616e6672616e636f2e63617264696c6c6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37523e80375b245973dcd634f3fc6f7a [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 53 to 10.63.1.207 port 1025 EAP-Message = 0x0109004d190017030100429b5f32184f610613f00b1cce946385098a8eff56bfd4be135578 680f6b0dff1f5ed1ac0d1678088067a3ab3d5e9242114e5e7a0d7290bdf6ad92bf5d4efb6816 cffb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2c53a179b10e022abbe73f133 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=54, length=337 Framed-MTU = 1480 NAS-IP-Address = 10.63.1.207 NAS-Identifier = "sw-test" User-Name = "PITAGORA\\testuser" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3 NAS-Port-Type = Ethernet NAS-Port-Id = "3" Called-Station-Id = "00-12-79-ca-9d-80" Calling-Station-Id = "00-02-3f-31-7e-5d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "6" State = 0xc2330ef2c53a179b10e022abbe73f133 EAP-Message = 0x0209006e19001703010063f8651686a818b10b399c346b7e7d55f1ed23cd3c68c02aab5143 e156b46c87f3b06be3a6546fbdc9fe76ae1250c4900db2a0a246a229176bfc8ecfc564d274dc fde0c6f1b4c6856045202ac081856d1788e1728ef297877b9f889710a290ec845bdf45 Message-Authenticator = 0xa10bdae95be3fb4f160fea338874c85a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 110 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900571a02090052318b237fb97c62ee51a148a9f160c34b6c000000000000000070e882 9b2758fcac1999a7165374bbef5f406c32951a8d1c0050495441474f52415c6769616e667261 6e636f2e63617264696c6c6f server { PEAP: Setting User-Name to PITAGORA\testuser Sending tunneled request EAP-Message = 0x020900571a02090052318b237fb97c62ee51a148a9f160c34b6c000000000000000070e882 9b2758fcac1999a7165374bbef5f406c32951a8d1c0050495441474f52415c6769616e667261 6e636f2e63617264696c6c6f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "PITAGORA\\testuser" State = 0x37523e80375b245973dcd634f3fc6f7a server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 87 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for testuser with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=testuser [mschap] expand: %{mschap:NT-Domain} -> PITAGORA [mschap] expand: --domain=%{%{mschap:NT-Domain}:-PITAGORA} -> --domain=PITAGORA [mschap] mschap2: 14 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=fb9a84f7a072a61e [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=70e8829b2758fcac1999a7165374bbef5f406c32951a8d1c Exec-Program output: NT_KEY: 5E93A783937468FDED71B619F0781AD4 Exec-Program-Wait: plaintext: NT_KEY: 5E93A783937468FDED71B619F0781AD4 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731 3133303545423545354633383131 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37523e803658245973dcd634f3fc6f7a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731 3133303545423545354633383131 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37523e803658245973dcd634f3fc6f7a [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 54 to 10.63.1.207 port 1025 EAP-Message = 0x010a004a1900170301003f89859944848beaa1a1150d04b44af7343d3f0867517b48dcfa7c 1a3a38468e2c7f73a4a6d760ee589d34d3ae808c8fe81be20e246f39c054d1efa38ae39490 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2ca39179b10e022abbe73f133 Finished request 8. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 46 with timestamp +31 Cleaning up request 1 ID 47 with timestamp +31 Cleaning up request 2 ID 48 with timestamp +31 Cleaning up request 3 ID 49 with timestamp +31 Cleaning up request 4 ID 50 with timestamp +31 Cleaning up request 5 ID 51 with timestamp +31 Cleaning up request 6 ID 52 with timestamp +31 Cleaning up request 7 ID 53 with timestamp +31 Cleaning up request 8 ID 54 with timestamp +31 Ready to process requests. ############################################################################ ########### Any help? Thanks in advance -- DV
Hi,
} # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731 3133303545423545354633383131 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37523e803658245973dcd634f3fc6f7a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731 3133303545423545354633383131 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37523e803658245973dcd634f3fc6f7a [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 54 to 10.63.1.207 port 1025 EAP-Message = 0x010a004a1900170301003f89859944848beaa1a1150d04b44af7343d3f0867517b48dcfa7c 1a3a38468e2c7f73a4a6d760ee589d34d3ae808c8fe81be20e246f39c054d1efa38ae39490 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2330ef2ca39179b10e022abbe73f133
..this is where it ends - an access challenge never gets responded to. do you have the CA of the RADIUS server installed on the client? alan
..this is where it ends - an access challenge never gets responded to. do you have the CA of the RADIUS server installed on the client? No but I disabled "Validate Server Certificate" on the client. Is it not enough?
add the CA Done but same problem. I read certs/README file with MANY other caveats about Windows:
- Windows requires certain OID's in the certificates. If it doesn't see them, it will stop doing EAP. The most visibile effect is that the client starts EAP, gets a few Access-Challenge packets, and then a little while later re-starts EAP. If this happens, see the FAQ, and the comments in raddb/eap.conf for how to fix it. - Windows requires the root certificates to be on the client PC. If it doesn't have them, you will see the same issue as above. - Windows XP post SP2 has a bug where it has problems with certificate chains. i.e. if the server certificate is an intermediate one, and not a root one, then authentication will silently fail, as above. I'm sorry to blamed Freeradius. I'm forced to abandone this project and resort to M$'NAP server :( Thanks -- DV
Domenico Viggiani wrote:
Done but same problem. I read certs/README file with MANY other caveats about Windows:
http://deployingradius.com has *complete* and *detailed* instructions for getting EAP to work with Windows.
I'm forced to abandone this project and resort to M$'NAP server :(
If it works with NAP, you can get it to work with FreeRADIUS. There are 10's of 1000's of sites using Windows clients with FreeRADIUS. There is *every* reason to believe that it works. Alan DeKok.
> > I'm forced to abandone this project and resort to M$'NAP server :( > > If it works with NAP, you can get it to work with FreeRADIUS. > > There are 10's of 1000's of sites using Windows clients with > FreeRADIUS. There is *every* reason to believe that it works. Of course. Sorry for my previous complaints. > http://deployingradius.com has *complete* and *detailed* instructions > for getting EAP to work with Windows. I'm looting that site without moderation! Questions: 1) I installed certs/ca.der under "Trusted Root Certification Authorities" of *computer* account on the client PC 2) I noticed that self-generated certs would contain XP extensions, specified here http://deployingradius.com/documents/configuration/oid.html 3) I didn't installed Microsoft fix: http://support.microsoft.com/kb/885453/en-us because I have XP SP3. What did I forget? Thanks again -- DV
Hi,
I'm forced to abandone this project and resort to M$'NAP server :(
if you do, then its your loss and you'll be limited for the future of your infrastructure. use freeRADIUS - after all, at least it will give you information and debug detailed information....when NPS goes wrong...well, good luck. this is probably a trivial issue - how did you create your CA? how did you sign the radius CRT/PKCS12 file? if you use the out of the box basic cert creation script (as pre generated the first time you run FR straight from compiled from source) then it works. I can guarantee that after running such installs many times myself (and then going ahead to use own CA and signed server cert). I deal with 4 of the major RADIUS server platforms...and FR is the only one that can deal with every issue and corner case that comes along, the rest are very limited...and you dont want a limiting server as it then places limits of what you can do with it and what clients you can support. alan
if you do, then its your loss and you'll be limited for the future of your infrastructure.
use freeRADIUS - after all, at least it will give you information and debug detailed information....when NPS goes wrong...well, good luck. I understand very well: I used older M$'IAS and it offered NO debug info at all!
this is probably a trivial issue - how did you create your CA? how did you sign the radius CRT/PKCS12 file? I used the self-generated certificates, at first startup of Freeradius service (installed from Red Hat "official" RPM package, not compiled).
What else can I do? A client PC with an OS different from XP? -- DV
Hi,
service (installed from Red Hat "official" RPM package, not compiled).
What else can I do? A client PC with an OS different from XP?
for initial testing/verification, use a client that isnt stupid or fussy. I'd say start with basic reference system - eg Linux with wpa_supplicant (eg modern Ubuntu on laptop).....then try a Mac OSX system (10.6) with PEAP or EAP-TTLS - then look at Windows and smartphones. your issue could be due to client or NAS alan
Hi Not sure if your just having issues with the OID or something else, but I found the thread really helped to fix cert issues I had. http://lists.cistron.nl/pipermail/freeradius-users/2006-October/msg00515.htm... . I used the MS cert server as described in this listing as well as used our Novell Cert server and both worked for issuing a Cert that MS clients will accept. I am sure OpenSSL can do it to just never looked far enough into it to see the exact syntax. Hope this helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Monday, February 07, 2011 at 7:27 AM, in message <00a301cbc6db$90153ec0$b03fbc40$@it>, Domenico Viggiani <dviggiani@tiscali.it> wrote:
if you do, then its your loss and you'll be limited for the future of your infrastructure.
use freeRADIUS - after all, at least it will give you information and debug detailed information....when NPS goes wrong...well, good luck. I understand very well: I used older M$'IAS and it offered NO debug info at all!
this is probably a trivial issue - how did you create your CA? how did you sign the radius CRT/PKCS12 file? I used the self-generated certificates, at first startup of Freeradius service (installed from Red Hat "official" RPM package, not compiled).
What else can I do? A client PC with an OS different from XP? -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brett Littrell wrote:
Not sure if your just having issues with the OID or something else, but I found the thread really helped to fix cert issues I > had.
http://lists.cistron.nl/pipermail/freeradius-users/2006-October/msg00515.htm l
I used the MS cert server as described in this listing as well as used our Novell Cert server and both worked for issuing a Cert that MS clients will accept. I am sure OpenSSL can do it to just never looked far enough into it to see the exact syntax
Thanks but I think that recent versions of Freeradius contains a certs generation script that provide "test" certificates with all OIDs needed. Or am I wrong? I'm currently still unable to authenticate a XP SP3 client to FR by Active Directory. Regards -- DV
On 02/08/2011 06:16 AM, Domenico Viggiani wrote:
Thanks but I think that recent versions of Freeradius contains a certs generation script that provide "test" certificates with all OIDs needed. Or am I wrong?
I'm currently still unable to authenticate a XP SP3 client to FR by Active Directory.
I think the OP said they were using a RHEL 5 or CentOS 5 package, if so there are two things you might want to check. We had bugs opened saying the default cert configuration was too weak and the following two adjustments were made. The validity period was reduced from 1 year to 60 days. The certs created during installation are meant for testing and since they are created silently it was felt a naive admin might not realize they've got certs useful for authentication sitting around. The idea is the certs will get you over the hump of testing your installation but for deployment you need to go back and regenerate them for actual deployment. So make sure the certs are still within they're validity period. Secondly the default digest was changed from md5 to sha1. The is a change also present in current OpenSSL releases. md5 is known to be weak. The generated certs were tested but only with Linux to Linux but not with Windows. In theory Windows shouldn't have a problem with sha1 digests in certs, but Windows seems to be very finicky when it comes to x509. So you might want to set default_md in the /etc/raddb/*.cnf files back to md5 and see if that's affecting anything. Hope that helps, John -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
I do not recall FR 2.11 default working with Windows so I followed the instructions from the link I posted and it started to work after that; of course I am using a LDAP back end not AD directly. I can and do authenticate Windows XP SP3 no problem against FR, but as I said it is with an LDAP back end, maybe an AD backend is a bit different. Good luck on it either way, you will eventually find your way there I am sure:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Tuesday, February 08, 2011 at 3:16 AM, in message <00ad01cbc781$94f25850$bed708f0$@it>, Domenico Viggiani <dviggiani@tiscali.it> wrote:
Brett Littrell wrote:
Not sure if your just having issues with the OID or something else, but I found the thread really helped to fix cert issues I > had.
http://lists.cistron.nl/pipermail/freeradius-users/2006-October/msg00515.htm l
I used the MS cert server as described in this listing as well as used our Novell Cert server and both worked for issuing a Cert that MS clients will accept. I am sure OpenSSL can do it to just never looked far enough into it to see the exact syntax
Thanks but I think that recent versions of Freeradius contains a certs generation script that provide "test" certificates with all OIDs needed. Or am I wrong? I'm currently still unable to authenticate a XP SP3 client to FR by Active Directory. Regards -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan Buxey -
Alan DeKok -
Brett Littrell -
Domenico Viggiani -
John Dennis