question about windows users

Bartosz Chodzinski bartosz.c at gmail.com
Tue May 19 15:42:17 CEST 2009


I created once again certs by myself, giving common name for user cert the
same like in example
user at example.com, I place them on xp client - both of them looks ok,
now something is happening (anyway like Aragorn said: "still not king"):


Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206,
length=147
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user at example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] Found realm "example.com"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com.  Not doing
EAP.
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 14 to 127.0.0.1 port 1812
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x323036
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 14 to 127.0.0.1 port 1812
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x323036
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14,
length=140
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633
        Proxy-State = 0x323036
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> user
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 14 to 127.0.0.1 port 1814
        Proxy-State = 0x323036
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14,
length=25
        Proxy-State = 0x323036
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> user at example.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 206 to 192.168.5.206 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 14 with timestamp +43
Cleaning up request 0 ID 206 with timestamp +43
Ready to process requests.




On Tue, May 19, 2009 at 2:23 PM, Bartosz Chodzinski <bartosz.c at gmail.com>wrote:

> So in other words this script is for all clients exept microsofts-like ?
> >You should try altering make client command in Makefile so that client
> certificates are signed by ca and not server certificate.
> do you have such altered makefile?
>
>
>
>
> On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik <tnt at kalik.net> wrote:
>
>> > # make client
>> >
>> > next I made a copy of ca.der and client.p12 to xp directory,
>> > next I opened mmc and install both of them to Trusted Root Certificate
>> > Authorities and to Personal
>> >
>> > exclamation mark on client certificate:
>> > "windows does not have enough information to verify this certificate"
>> > "you have private key that corresponds to this certificate"
>> >
>>
>> This is explained in raddb/certs/README - Compatibility. You should try
>> altering make client command in Makefile so that client certificates are
>> signed by ca and not server certificate.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090519/e90bbb03/attachment.html>


More information about the Freeradius-Users mailing list