Authentication Failed
Devinder Singh
devinbhullar at gmail.com
Thu Jan 21 03:18:13 CET 2010
Hello
I have followed the procedures to create EAP certificates in etc/raddb/certs
but when i copy the ca.der and client.P12 my windows XP cannot seem to
authenticate to the radisu Server.
I can se a small baloon appearing on xp stating failed to authenticate on
palstaff.
My Proxim AP reports Radius Server Error but i have already set the Radius
Server IP address in the Proxim AP.
I have also updated my make file as below to allow XP clients to
authenticate
######################################################################
#
# Create a new client certificate, signed by the the above server
# certificate.
#
######################################################################
client.csr client.key: client.cnf
openssl req -new -out client.csr -keyout client.key -config
./client.cnf
client.crt: client.csr ca.pem ca.key index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key
$(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out
client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
client.pem: client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
cp client.pem $(USER_NAME).pem
.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
openssl verify -CApath . client.pem
$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
and redo the certificates.
Please need help on this
Regards
Devinder
2010/1/20 Devinder Singh <devinbhullar at gmail.com>
> After i had restarted my XP
>
> i get to see Windows was unable to log you on to palstaff.
>
>
> palstaff is my sssid
>
>
> Devinder
>
>
> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>
>> When i click on my SSID i get authentication failed. The Proxim AP reports
>> Radius not connected and i dont get to see any reply on Radius Server
>>
>>
>>
>> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>>
>>> ######################################################################
>>> #
>>> # Create a new client certificate, signed by the the above server
>>> # certificate.
>>> #
>>> ######################################################################
>>> client.csr client.key: client.cnf
>>> openssl req -new -out client.csr -keyout client.key -config
>>> ./client.cnf
>>>
>>> client.crt: client.csr ca.pem ca.key index.txt serial
>>> openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
>>> -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
>>> xpextensions -config ./client.cnf
>>>
>>> client.p12: client.crt
>>> openssl pkcs12 -export -in client.crt -inkey client.key -out
>>> client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>>>
>>> client.pem: client.p12
>>> openssl pkcs12 -in client.p12 -out client.pem -passin
>>> pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>>> cp client.pem $(USER_NAME).pem
>>>
>>> .PHONY: server.vrfy
>>> client.vrfy: ca.pem client.pem
>>> c_rehash .
>>> openssl verify -CApath . client.pem
>>>
>>>
>>>
>>> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>>>
>>>> Hi Ivan,
>>>>
>>>> I cant seem to authenticate my Windows XP client using EAP
>>>> authentication. I have folllowed the steps in /etc/raddb/certs
>>>>
>>>> This is my radius start up
>>>> Module: Instantiating
>>>> eap-tls
>>>> tls
>>>> {
>>>>
>>>> rsa_key_exchange =
>>>> no
>>>> dh_key_exchange =
>>>> yes
>>>> rsa_key_length =
>>>> 512
>>>> dh_key_length =
>>>> 512
>>>> verify_depth =
>>>> 0
>>>> pem_file_type =
>>>> yes
>>>> private_key_file =
>>>> "/etc/raddb/certs/server.pem"
>>>> certificate_file =
>>>> "/etc/raddb/certs/server.pem"
>>>> CA_file =
>>>> "/etc/raddb/certs/ca.pem"
>>>> private_key_password =
>>>> "myettelap"
>>>> dh_file =
>>>> "/etc/raddb/certs/dh"
>>>> random_file =
>>>> "/etc/raddb/certs/random"
>>>> fragment_size =
>>>> 1024
>>>> include_length =
>>>> yes
>>>> check_crl =
>>>> no
>>>> cipher_list =
>>>> "DEFAULT"
>>>> make_cert_command =
>>>> "/etc/raddb/certs/bootstrap"
>>>> cache
>>>> {
>>>>
>>>> enable =
>>>> no
>>>> lifetime =
>>>> 24
>>>> max_entries =
>>>> 255
>>>>
>>>> }
>>>>
>>>>
>>>> }
>>>>
>>>> Module: Linked to sub-module
>>>> rlm_eap_ttls
>>>> Module: Instantiating
>>>> eap-ttls
>>>> ttls
>>>> {
>>>>
>>>> default_eap_type =
>>>> "md5"
>>>> copy_request_to_tunnel =
>>>> no
>>>> use_tunneled_reply =
>>>> no
>>>> virtual_server =
>>>> "inner-tunnel"
>>>>
>>>> }
>>>>
>>>> Module: Linked to sub-module
>>>> rlm_eap_peap
>>>> Module: Instantiating
>>>> eap-peap
>>>> peap
>>>> {
>>>>
>>>> default_eap_type =
>>>> "mschapv2"
>>>> copy_request_to_tunnel =
>>>> no
>>>> use_tunneled_reply =
>>>> no
>>>> proxy_tunneled_request_as_eap =
>>>> yes
>>>> virtual_server =
>>>> "inner-tunnel"
>>>>
>>>> }
>>>>
>>>> Module: Linked to sub-module
>>>> rlm_eap_mschapv2
>>>> Module: Instantiating
>>>> eap-mschapv2
>>>> mschapv2
>>>> {
>>>>
>>>> with_ntdomain_hack =
>>>> no
>>>>
>>>> }
>>>>
>>>> Module: Checking authorize {...} for more modules to
>>>> load
>>>> Module: Linked to module
>>>> rlm_realm
>>>> Module: Instantiating
>>>> suffix
>>>> realm suffix
>>>> {
>>>> format =
>>>> "suffix"
>>>> delimiter =
>>>> "@"
>>>> ignore_default =
>>>> no
>>>> ignore_null =
>>>> no
>>>>
>>>> }
>>>>
>>>> Module: Linked to module
>>>> rlm_files
>>>> Module: Instantiating
>>>> files
>>>> files
>>>> {
>>>>
>>>> usersfile =
>>>> "/etc/raddb/users"
>>>> acctusersfile =
>>>> "/etc/raddb/acct_users"
>>>> preproxy_usersfile =
>>>> "/etc/raddb/preproxy_users"
>>>> compat =
>>>> "no"
>>>>
>>>> }
>>>>
>>>> Module: Checking session {...} for more modules to
>>>> load
>>>> Module: Linked to module
>>>> rlm_radutmp
>>>> Module: Instantiating
>>>> radutmp
>>>> radutmp
>>>> {
>>>>
>>>> filename =
>>>> "/var/log/radius/radutmp"
>>>> username =
>>>> "%{User-Name}"
>>>> case_sensitive =
>>>> yes
>>>> check_with_nas =
>>>> yes
>>>> perm =
>>>> 384
>>>> callerid =
>>>> yes
>>>>
>>>> }
>>>>
>>>> Module: Checking post-proxy {...} for more modules to
>>>> load
>>>> Module: Checking post-auth {...} for more modules to
>>>> load
>>>> Module: Linked to module
>>>> rlm_attr_filter
>>>> Module: Instantiating
>>>> attr_filter.access_reject
>>>> attr_filter attr_filter.access_reject
>>>> {
>>>> attrsfile =
>>>> "/etc/raddb/attrs.access_reject"
>>>> key =
>>>> "%{User-Name}"
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>> modules
>>>> {
>>>>
>>>> Module: Checking authenticate {...} for more modules to
>>>> load
>>>> Module: Checking authorize {...} for more modules to
>>>> load
>>>> Module: Linked to module
>>>> rlm_preprocess
>>>> Module: Instantiating
>>>> preprocess
>>>> preprocess
>>>> {
>>>>
>>>> huntgroups =
>>>> "/etc/raddb/huntgroups"
>>>> hints =
>>>> "/etc/raddb/hints"
>>>> with_ascend_hack =
>>>> no
>>>> ascend_channels_per_line =
>>>> 23
>>>> with_ntdomain_hack =
>>>> no
>>>> with_specialix_jetstream_hack =
>>>> no
>>>> with_cisco_vsa_hack =
>>>> no
>>>> with_alvarion_vsa_hack =
>>>> no
>>>>
>>>> }
>>>>
>>>> Module: Checking preacct {...} for more modules to
>>>> load
>>>> Module: Linked to module
>>>> rlm_acct_unique
>>>> Module: Instantiating acct_unique
>>>> acct_unique {
>>>> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>>>> Client-IP-Address, NAS-Port"
>>>> }
>>>> Module: Checking accounting {...} for more modules to load
>>>> Module: Linked to module rlm_detail
>>>> Module: Instantiating detail
>>>> detail {
>>>> detailfile =
>>>> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>>>> header = "%t"
>>>> detailperm = 384
>>>> dirperm = 493
>>>> locking = no
>>>> log_packet_header = no
>>>> }
>>>> Module: Instantiating attr_filter.accounting_response
>>>> attr_filter attr_filter.accounting_response {
>>>> attrsfile = "/etc/raddb/attrs.accounting_response"
>>>> key = "%{User-Name}"
>>>> }
>>>> Module: Checking session {...} for more modules to load
>>>> Module: Checking post-proxy {...} for more modules to load
>>>> Module: Checking post-auth {...} for more modules to load
>>>> }
>>>> radiusd: #### Opening IP addresses and Ports ####
>>>> listen {
>>>> type = "auth"
>>>> ipaddr = *
>>>> port = 0
>>>> }
>>>> listen {
>>>> type = "acct"
>>>> ipaddr = *
>>>> port = 0
>>>> }
>>>> Listening on authentication address * port 1812
>>>> Listening on accounting address * port 1813
>>>> Listening on proxy address * port 1814
>>>> Ready to process requests.
>>>> ^[[6~^[[6~
>>>>
>>>>
>>>> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>>>>
>>>> Hi Ivan,
>>>>>
>>>>> I created the certificates basd on the README file in etc/raddb and
>>>>> copied ca.der and client.p12 to Windows XP
>>>>>
>>>>> I also also made changed to the Makefile which runs on XP but when i
>>>>> connect to the SSID i get authentication failde and the radius does not seem
>>>>> to get any response from the Proxim AP.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Devinder
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Devinder
>>>>
>>>
>>>
>>>
>>> --
>>> Devinder
>>>
>>
>>
>>
>> --
>> Devinder
>>
>
>
>
> --
> Devinder
>
--
Devinder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100121/a768d2d4/attachment.html>
More information about the Freeradius-Users
mailing list