question about windows users

Bartosz Chodzinski bartosz.c at gmail.com
Wed May 20 12:44:53 CEST 2009 

back to the begining
and using the most simple conf.

to be sure that I have clear configuration
#apt-get remove freeradius
#dpkg -P freeradius
#dpkg -i freeradius_2.1.6-0_i386.deb
server is Debian etchnhalf, it is virtual server on VMware ESX Server 3i,
3.5.0

now I have clear configuration and make simply changes

changes:
radiusd.conf
proxy_requests  = no #was yes, set to no cause I dont need it
#$INCLUDE proxy.conf #was uncommented, see above

eap.conf
no changes at all

clients.conf
add a client - 192.168.5.0/24.... (client Cisco 2950)

next I made client certificate (using standard scripts)
#cd /etc/freeradius/certs
#make client
and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer
Travel Mate 380
certificates installed in Trusted Root CA and Personal storages (I deleted
all previous certs on that system)

I still have a problem - described in prvious post
>exclamation mark on client certificate:
>"windows does not have enough information to verify this certificate"
>"you have private key that corresponds to this certificate"
>http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu
but I am frightened to make any changes without your permision in
/etc/freeradius/certs/Makefile, and evethough I have your permission I still
dont know what to change
I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I did
not find what to change in this file

Ivan write:
>Use your own domain. For EAP-TLS - no modification needed. I have seen you
>going on about PEAP as well. If those users are also using format
>user at your_domain, then create local realm your_domain - it won't interfere
>with EAP-TLS and will create Stripped-User-Name that can be used for
>authentication.
I dont want to have a domain yet, all I want to have at the beggining:
server radius + server certificate (common name: server_cert - signed by
my_radius_CA)
clients radius (cisco 2950)
user radius (winxp) + client certificate (common name: client_cert - signed
by my_radius_CA)
no usernames, no password for usernames, no proxies, no domains at all

I used files - ca, server, client, da, random created by
/etc/freeradius/certs/bootstrap script

I know that I am at the start of the topic, I am listening, really.
Bartosz.

freeradius -X

rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=226,
length=147
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user at example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x9bcadf204cf30292cfb7f1abed75501b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 226 to 192.168.5.206 port 1812
        EAP-Message = 0x0101001604108a193ba39f65974f35dc5b3140db877f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x495360bd49526405f11f72d516a953d3
Finished request 0.
Going to the next request




On Wed, May 20, 2009 at 11:38 AM, Ivan Kalik <tnt at kalik.net> wrote:

> > could you give me good freeradius guide for dummies - I think I need it
> :)
> >
>
> Guide: don't make any changes to the default configuration unless you know
> what you are doing. That's it.
>
> Server is configured by default to handle EAP-TLS. There is nothing that
> you need to do to make it happen.
>
> Now, about your problem: freeradius uses fake realm example.com - for
> examples. Of proxying, fail-over home servers, use of vitual servers etc.
> Why are *you* using it as well? These examples are not what you want to
> do.
>
> Use your own domain. For EAP-TLS - no modification needed. I have seen you
> going on about PEAP as well. If those users are also using format
> user at your_domain, then create local realm your_domain - it won't interfere
> with EAP-TLS and will create Stripped-User-Name that can be used for
> authentication.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/2761e5c1/attachment.html>

More information about the Freeradius-Users mailing list