Decoupled accounting

Devinder Singh devinbhullar at gmail.com
Tue Aug 4 10:28:53 CEST 2009 

Hi Ivan,

ok could you let me know what do i need to alter in the Make File.

Just wanted to make sure i dont do something wrong here

What are the steps that i need to take to do this.

I can see a Makefile in /etc/raddb/certs

Thanks

Devinder


2009/8/4 Ivan Kalik <tnt at kalik.net>:
> OK, I think this is the issue where Windows refuses to accept server
> certificate as the intermediate CA. You should alter Makefile in certs to
> sign client certificates with CA and not server certificate.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>> Hi Ivan
>>
>>
>> I still get the same error now
>>
>>
>> Found Auth-Type = EAP
>> +- entering group authenticate {...}
>> [eap] Request found, released from the list
>> [eap] EAP/tls
>> [eap] processing type tls
>> [tls] Authenticate
>> [tls] processing EAP-TLS
>> [tls] eaptls_verify returned 7
>> [tls] Done initial handshake
>> [tls] <<< TLS 1.0 Handshake [length 03b2], Certificate
>> --> verify error:num=20:unable to get local issuer certificate
>> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>> TLS Alert write:fatal:unknown CA
>>     TLS_accept:error in SSLv3 read client certificate B
>> rlm_eap: SSL error error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> SSL: SSL_read failed in a system call (-1), TLS session fails.
>> TLS receive handshake failed during operation
>> [tls] eaptls_process returned 4
>> [eap] Handler failed in EAP/tls
>> [eap] Failed in EAP select
>> ++[eap] returns invalid
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> +- entering group REJECT {...}
>> [attr_filter.access_reject]     expand: %{User-Name} ->
>> devinder at palettemm.com
>>  attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 7 for 1 seconds
>> Going to the next request
>> Waking up in 0.9 seconds.
>> Sending delayed reject for request 7
>> Sending Access-Reject of id 141 to 203.121.4.59 port 6001
>>         EAP-Message = 0x04070004
>>         Message-Authenticator = 0x00000000000000000000000000000000
>> Waking up in 3.8 seconds.
>> Cleaning up request 1 ID 135 with timestamp +120
>> Cleaning up request 2 ID 136 with timestamp +120
>> Cleaning up request 3 ID 137 with timestamp +120
>> Cleaning up request 4 ID 138 with timestamp +120
>> Cleaning up request 5 ID 139 with timestamp +120
>> Cleaning up request 6 ID 140 with timestamp +120
>> Waking up in 1.0 seconds.
>> Cleaning up request 7 ID 141 with timestamp +120
>> Ready to process requests.
>>
>>
>>
>> 2009/8/4 Devinder Singh <devinbhullar at gmail.com>:
>>> Ok i took your advise and yes its a diffeenrent error now
>>>
>>> Listening on authentication address * port 1812
>>> Listening on accounting address * port 1813
>>> Listening on proxy address * port 1814
>>> Ready to process requests.
>>> rad_recv: Access-Request packet from host 203.121.4.59 port 6001,
>>> id=134, length=181
>>>        User-Name = "devinder at palettemm.com"
>>>        NAS-IP-Address = 203.121.4.59
>>>        Called-Station-Id = "00-20-a6-6c-49-9d:palstaff"
>>>        Calling-Station-Id = "00-04-23-7b-56-b9"
>>>        NAS-Identifier = "ORiNOCO-AP-700-6c-49-9d"
>>>        Framed-MTU = 1400
>>>        NAS-Port-Type = Wireless-802.11
>>>        EAP-Message =
>>> 0x0203001b01646576696e6465724070616c657474656d6d2e636f6d
>>>        Message-Authenticator = 0xb7f29ed2232abda7b5b24bb131883617
>>> +- entering group authorize {...}
>>> ++[preprocess] returns ok
>>> ++[chap] returns noop
>>> ++[mschap] returns noop
>>> [suffix] Looking up realm "palettemm.com" for User-Name =
>>> "devinder at palettemm.com"
>>> [suffix] No such realm "palettemm.com"
>>> ++[suffix] returns noop
>>> [eap] EAP packet type response id 3 length 27
>>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>>> ++[eap] returns updated
>>> ++[unix] returns notfound
>>> [files] users: Matched entry devinder at palettemm.com at line 94
>>> ++[files] returns ok
>>> ++[expiration] returns noop
>>> ++[logintime] returns noop
>>> [pap] WARNING! No "known good" password found for the user.
>>> Authentication may fail because of this.
>>> ++[pap] returns noop
>>> Found Auth-Type = EAP
>>> +- entering group authenticate {...}
>>> [eap] EAP Identity
>>> [eap] processing type md5
>>> rlm_eap_md5: Issuing Challenge
>>> ++[eap] returns handled
>>> Sending Access-Challenge of id 134 to 203.121.4.59 port 6001
>>>        EAP-Message = 0x010400160410edd3007f1e599b71120693ed62eaee7c
>>>        Message-Authenticator = 0x00000000000000000000000000000000
>>>        State = 0x17b5db9117b1dfd16583cca5ed9db022
>>> Finished request 0.
>>> Going to the next request
>>> Waking up in 4.9 seconds.
>>> Cleaning up request 0 ID 134 with timestamp +1
>>> Ready to process requests.
>>>
>>>
>>>
>>>
>>>
>>> 2009/8/4 Devinder Singh <devinbhullar at gmail.com>:
>>>> HI Ivan
>>>>
>>>> Thanks. Yes i have double click on the ca.der file and client.p12 both
>>>> were installed successfuly.
>>>>
>>>> I also manaed to set up my SSID palstaff and when i click on the SSID
>>>> i see a pop up windows on my wireles LAN  asking for my username on
>>>> certificate and i selected
>>>>
>>>> devinder at palettemm.com from the combo drop down list and click OK
>>>>
>>>> when i click OK  radius reports the following error
>>>>
>>>> TLS Alert write:fatal:unknown CA
>>>>    TLS_accept:error in SSLv3 read client certificate B
>>>> rlm_eap: SSL error error:140890B2:SSL
>>>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>>> SSL: SSL_read failed in a system call (-1), TLS session fails.
>>>> TLS receive handshake failed during operation
>>>> [tls] eaptls_process returned 4
>>>> [eap] Handler failed in EAP/tls
>>>> [eap] Failed in EAP select
>>>> ++[eap] returns invalid
>>>> Failed to authenticate the user.
>>>> Using Post-Auth-Type Reject
>>>> +- entering group REJECT {...}
>>>> [attr_filter.access_reject]     expand: %{User-Name} ->
>>>> devinder at palettemm.com
>>>>  attr_filter: Matched entry DEFAULT at line 11
>>>> ++[attr_filter.access_reject] returns updated
>>>> Delaying reject of request 6 for 1 seconds
>>>> Going to the next request
>>>> Waking up in 0.9 seconds.
>>>> Sending delayed reject for request 6
>>>> Sending Access-Reject of id 133 to 203.121.4.59 port 6001
>>>>        EAP-Message = 0x040a0004
>>>>        Message-Authenticator = 0x00000000000000000000000000000000
>>>> Waking up in 3.6 seconds.
>>>> Cleaning up request 0 ID 127 with timestamp +18
>>>> Cleaning up request 1 ID 128 with timestamp +18
>>>> Cleaning up request 2 ID 129 with timestamp +18
>>>> Cleaning up request 3 ID 130 with timestamp +18
>>>> Cleaning up request 4 ID 131 with timestamp +18
>>>> Waking up in 0.2 seconds.
>>>> Cleaning up request 5 ID 132 with timestamp +18
>>>> Waking up in 1.0 seconds.
>>>> Cleaning up request 6 ID 133 with timestamp +19
>>>> Ready to process requests.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2009/8/4 Ivan Kalik <tnt at kalik.net>:
>>>>>> I mnaged to follow the steps in /etc/raddb/certs/README
>>>>>>
>>>>>> and copied ca.der and client.p12 to XP machine
>>>>>
>>>>> It looks like you have copied them but not installed them in the
>>>>> certificate store. Double-click the certificates and install them
>>>>> first.
>>>>>
>>>>> Ivan Kalik
>>>>> Kalik Informatika ISP
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Devinder
>>>>
>>>
>>>
>>>
>>> --
>>> Devinder
>>>
>>
>>
>>
>> --
>> Devinder
>>
>
>
>



-- 
Devinder

More information about the Freeradius-Users mailing list