howto EAP-TLS on freeradius 2.0.2-3 ??

Mon May 19 01:10:17 CEST 2008

So i really wonder where is the problem !!!
maybe it is due to the hardware i use...

my switch is wireless controller -all AP rceive their config (RF, SSID, channels, Power Radio, security styuffs, etc..) from the switch. so when RADIUS authentication is set-up, every AP have to be authenticated by Freeradius before receiving the correct parameters by FR, using its @MAC as login and the word NOPASSWORD as password (that the theoroy said. cause i had to set Auth-Type := Accept to make it work). at this stage, authenticator is the wireless switch. it works with or without 802.1x ON. it work fine, and the AP are well manged by a centralpoint. no RADIUS problem with AP authetication.

- step2:
when an AP is recognized, end-users have to be autneticated too by RADIUS. this step, like the documentation says, the managed AP becomes "Authenticator". -so an entry exist for every AP in clients.conf too)

during the connection attempts, Radius receive acess request, and the correct certificate is chosen -he give me the correcte commonnameof certificate- but i think the supplicant (end-user on xp) never receive the access-challenge, even if it is sent by RADIUS Server.

i don't know if i am well understood or if I "do" misundertood something but it works like that at me now.

i installed, reinstalled and formated so much time that i am convincedthat i won't success alone.
Hey Ivan, won't you try to help me to fix this stone? i have definitely nodelay anymore, and no solution too. Freeradius is your own and i ma pretty sure that we could both fix the problem between a quarter or a half if you take fulll remote control of my computer and network, assisting you and telling my purpose. 

thanx for help.

----- Message d'origine ----
De : Ivan Kalik <tnt at kalik.net>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Envoyé le : Lundi, 19 Mai 2008, 0h37mn 23s
Objet : RE: Re : Re : Re : howto EAP-TLS on freeradius 2.0.2-3 ??

>Ok, we assume my certificates are corrects.
>
>So i have some more questions:
>
>
>- Certificate should be import for user accounts or for computer account ?

Who/what ever is you supplicant trying to authenticate. If the supplicant
can't find the correct certificate it will give up.

>
>- i use the file "users" as database for my accounts; when using eap-tls
>when trying eap-peap my accounts looks like that:
>
>>> johndoe     Auth-Type: = EAP, User-Password == Ă˘ďż˝ďż˝test1234"
>>>                      Tunnel-Type = 13,
>>>                      Tunnel-Medium-Type = 6,
>
>or 
>>> johndoe       User-Password == Ă˘ďż˝ďż˝test1234"
>>>                      Tunnel-Type = 13,
>>>                      Tunnel-Medium-Type = 6,

No, don't use Auth-Type. Use Cleartext-Password or NT-Password (names
clearly suugest are they encrypted and how) with mschap.

>
>
>- when i use eap-tls, it looks like that:
>
>>> johndoe 
>>>          Tunnel-Type = 13,
>>>          Tunnel-Medium-Type = 6,
>-----
>
>and sometimes, i add add the assignment of Vlan by using the attribute '
Tunnel-Private-Group-ID = 100" -vlan 100 is affected to the ssid i am
interested in-
>
>is it correct?

It will work, but it's more common to use "human" values (VLAN and
IEEE-802).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 