Problems using EAP-TLS with freeradius version 2

Stefan Puch s.puch at web.de
Wed Feb 6 09:45:41 CET 2008 

@Alan DeKok
> I'll bet that if you posted the final Access-Accept from 1.1.7 and from 
> 2.0.1, that they would be *different*.  If you make them the same, I'll also 
> bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
"default"-file, which setting were included in radiusd.conf in previous version
of freeradius

> Stop fighting with the certificates.  You're wasting your time, and confusing
> yourself.  Start looking at the contents of the Access-Accept, which is the
> only thing that really matters.
With that hint I was able to get Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would be no problem for you, the problem with the
username of the devices.

If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a
working configuration, but finally it should work also with that Option enabled.
 The problem of the Windows Mobile devices is, that they always submit as
username "DOMAIN\user". If you leave the DOMAINNAME blank still "\user" is used.
Since the radiusd.conf hints say, that I should NOT use the option
"with_ntdomain_hack" (and when I tested it still didn't work for me) I wanted to
 use the "Realm module".
But at the moment I didn't fully understand how realms work, although I did read
the Posting on this mailinglist (from 2004) and the manpage.
I Know that I will have to use the realm module

# 'domain\user'
realm ntdomain {
	format = prefix
        delimiter = "\\"
}

therefore, but what else do I have to configure when I want to use a "blank"
domain? First I tried with a domain called "bla" which is configured in proxy.conf:

realm bla {
       authhost        = LOCAL
       accthost        = LOCAL
}

The attached logfile shows, that the username is stripped correctly, but
obviously the stripped username in not passed correctly to the eap module. Can
anyone tell me, what else I have to configure? My goal is simply to strip the
"empty" domain from the username, so that eap-tls work with the option
"check_cert_cn = %{User-Name}" enabled in eap.conf

In short:
How do I specify an empty domain (realm "" {authhost = LOCAL, accthost = LOCAL}
doesn't work)?

What else do I have to configure, when the realm ntdomain is set in radiusd.conf
 (I have also set ntdomain in "authorize" and "preacct" section)

Best regards and thanks in advance

Stefan Puch

PS: When I've got a working configuration for the Windows Mobile devices, I'm
going to write a little HOWTO like the one "EAP/TLS Setup for FreeRADIUS and
Windows XP Supplicant" just for Mobile PDA's


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap-tls-wm.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080206/92689c26/attachment.ksh>

More information about the Freeradius-Users mailing list