cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Reveal MAP revealmapp at yahoo.fr
Fri Jul 25 19:10:21 CEST 2008



> installing ca.der and putting user && pass into client machine, the 
authentication doesn't work?

  -- no, it doesn't! 

> you only need ca.der but, if you have an active directory like LDAP, 
check if your comunication with AD server also have tls authentication.
Into ldap module you can configurate another tls block, which it's 
different than tls block into eap module.

 -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius.
I ever success this kind of authentication without reading or changing a line of ldap module in freeradius.
and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory.

>I don't know if it is your problem, but I suppose that  comunication 
between ldap server and radius can have different certificates, from 
different ca's than  eap comunication.


my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it.

 > If it is your problem, I would 
check it. also would be good you post de debug of radius to see which 
certificate can't validate.

see the logf there: http://tinypaste.com/5b99b 
active and valid user is:
    login: glouglou
    password: glouglou

aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
password:
NT_STATUS_OK: Success (0x0)
aaa:~ #                     


:/ Any help will be appreciated. these days i am wondering about validity of the Server certificate!
I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) 

thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080725/ed66e04c/attachment.html>


More information about the Freeradius-Users mailing list