Authentication Failed

Devinder Singh devinbhullar at gmail.com
Thu Jan 21 03:18:13 CET 2010


Hello

I have followed the procedures to create EAP certificates in etc/raddb/certs
but when i copy the ca.der and client.P12 my windows XP cannot seem to
authenticate to the radisu Server.

I can se a small baloon appearing on xp stating failed to authenticate on
palstaff.


My Proxim AP reports Radius Server Error but i have already set the Radius
Server IP address in the Proxim AP.

I have also updated my make file as below to allow XP clients to
authenticate



######################################################################
#
#  Create a new client certificate, signed by the the above server
#  certificate.
#
######################################################################
client.csr client.key: client.cnf
        openssl req -new  -out client.csr -keyout client.key -config
./client.cnf

client.crt: client.csr ca.pem ca.key index.txt serial
        openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key
$(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf

client.p12: client.crt
        openssl pkcs12 -export -in client.crt -inkey client.key -out
client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

client.pem: client.p12
        openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
        cp client.pem $(USER_NAME).pem

.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
        c_rehash .
        openssl verify -CApath . client.pem



$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*

and redo the certificates.


Please need help on this



Regards

Devinder


2010/1/20 Devinder Singh <devinbhullar at gmail.com>

> After i had restarted my XP
>
> i get to see Windows was unable to log you on to palstaff.
>
>
> palstaff is my sssid
>
>
> Devinder
>
>
> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>
>> When i click on my SSID i get authentication failed. The Proxim AP reports
>> Radius not connected and i dont get to see any reply on Radius Server
>>
>>
>>
>> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>>
>>> ######################################################################
>>> #
>>> #  Create a new client certificate, signed by the the above server
>>> #  certificate.
>>> #
>>> ######################################################################
>>> client.csr client.key: client.cnf
>>>         openssl req -new  -out client.csr -keyout client.key -config
>>> ./client.cnf
>>>
>>> client.crt: client.csr ca.pem ca.key index.txt serial
>>>         openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr
>>> -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
>>> xpextensions -config ./client.cnf
>>>
>>> client.p12: client.crt
>>>         openssl pkcs12 -export -in client.crt -inkey client.key -out
>>> client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>>>
>>> client.pem: client.p12
>>>         openssl pkcs12 -in client.p12 -out client.pem -passin
>>> pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
>>>         cp client.pem $(USER_NAME).pem
>>>
>>> .PHONY: server.vrfy
>>> client.vrfy: ca.pem client.pem
>>>         c_rehash .
>>>         openssl verify -CApath . client.pem
>>>
>>>
>>>
>>> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>>>
>>>> Hi Ivan,
>>>>
>>>> I cant seem to authenticate my Windows XP client using EAP
>>>> authentication. I have folllowed the steps in /etc/raddb/certs
>>>>
>>>> This is my radius start up
>>>> Module: Instantiating
>>>> eap-tls
>>>>    tls
>>>> {
>>>>
>>>>         rsa_key_exchange =
>>>> no
>>>>         dh_key_exchange =
>>>> yes
>>>>         rsa_key_length =
>>>> 512
>>>>         dh_key_length =
>>>> 512
>>>>         verify_depth =
>>>> 0
>>>>         pem_file_type =
>>>> yes
>>>>         private_key_file =
>>>> "/etc/raddb/certs/server.pem"
>>>>         certificate_file =
>>>> "/etc/raddb/certs/server.pem"
>>>>         CA_file =
>>>> "/etc/raddb/certs/ca.pem"
>>>>         private_key_password =
>>>> "myettelap"
>>>>         dh_file =
>>>> "/etc/raddb/certs/dh"
>>>>         random_file =
>>>> "/etc/raddb/certs/random"
>>>>         fragment_size =
>>>> 1024
>>>>         include_length =
>>>> yes
>>>>         check_crl =
>>>> no
>>>>         cipher_list =
>>>> "DEFAULT"
>>>>         make_cert_command =
>>>> "/etc/raddb/certs/bootstrap"
>>>>     cache
>>>> {
>>>>
>>>>         enable =
>>>> no
>>>>         lifetime =
>>>> 24
>>>>         max_entries =
>>>> 255
>>>>
>>>> }
>>>>
>>>>
>>>> }
>>>>
>>>>  Module: Linked to sub-module
>>>> rlm_eap_ttls
>>>>  Module: Instantiating
>>>> eap-ttls
>>>>    ttls
>>>> {
>>>>
>>>>         default_eap_type =
>>>> "md5"
>>>>         copy_request_to_tunnel =
>>>> no
>>>>         use_tunneled_reply =
>>>> no
>>>>         virtual_server =
>>>> "inner-tunnel"
>>>>
>>>> }
>>>>
>>>>  Module: Linked to sub-module
>>>> rlm_eap_peap
>>>>  Module: Instantiating
>>>> eap-peap
>>>>    peap
>>>> {
>>>>
>>>>         default_eap_type =
>>>> "mschapv2"
>>>>         copy_request_to_tunnel =
>>>> no
>>>>         use_tunneled_reply =
>>>> no
>>>>         proxy_tunneled_request_as_eap =
>>>> yes
>>>>         virtual_server =
>>>> "inner-tunnel"
>>>>
>>>> }
>>>>
>>>>  Module: Linked to sub-module
>>>> rlm_eap_mschapv2
>>>>  Module: Instantiating
>>>> eap-mschapv2
>>>>    mschapv2
>>>> {
>>>>
>>>>         with_ntdomain_hack =
>>>> no
>>>>
>>>> }
>>>>
>>>>  Module: Checking authorize {...} for more modules to
>>>> load
>>>>  Module: Linked to module
>>>> rlm_realm
>>>>  Module: Instantiating
>>>> suffix
>>>>   realm suffix
>>>> {
>>>>         format =
>>>> "suffix"
>>>>         delimiter =
>>>> "@"
>>>>         ignore_default =
>>>> no
>>>>         ignore_null =
>>>> no
>>>>
>>>> }
>>>>
>>>>  Module: Linked to module
>>>> rlm_files
>>>>  Module: Instantiating
>>>> files
>>>>   files
>>>> {
>>>>
>>>>         usersfile =
>>>> "/etc/raddb/users"
>>>>         acctusersfile =
>>>> "/etc/raddb/acct_users"
>>>>         preproxy_usersfile =
>>>> "/etc/raddb/preproxy_users"
>>>>         compat =
>>>> "no"
>>>>
>>>> }
>>>>
>>>>  Module: Checking session {...} for more modules to
>>>> load
>>>>  Module: Linked to module
>>>> rlm_radutmp
>>>>  Module: Instantiating
>>>> radutmp
>>>>   radutmp
>>>> {
>>>>
>>>>         filename =
>>>> "/var/log/radius/radutmp"
>>>>         username =
>>>> "%{User-Name}"
>>>>         case_sensitive =
>>>> yes
>>>>         check_with_nas =
>>>> yes
>>>>         perm =
>>>> 384
>>>>         callerid =
>>>> yes
>>>>
>>>> }
>>>>
>>>>  Module: Checking post-proxy {...} for more modules to
>>>> load
>>>>  Module: Checking post-auth {...} for more modules to
>>>> load
>>>>  Module: Linked to module
>>>> rlm_attr_filter
>>>>  Module: Instantiating
>>>> attr_filter.access_reject
>>>>   attr_filter attr_filter.access_reject
>>>> {
>>>>         attrsfile =
>>>> "/etc/raddb/attrs.access_reject"
>>>>         key =
>>>> "%{User-Name}"
>>>>
>>>> }
>>>>
>>>>  }
>>>>
>>>> }
>>>>
>>>>  modules
>>>> {
>>>>
>>>>  Module: Checking authenticate {...} for more modules to
>>>> load
>>>>  Module: Checking authorize {...} for more modules to
>>>> load
>>>>  Module: Linked to module
>>>> rlm_preprocess
>>>>  Module: Instantiating
>>>> preprocess
>>>>   preprocess
>>>> {
>>>>
>>>>         huntgroups =
>>>> "/etc/raddb/huntgroups"
>>>>         hints =
>>>> "/etc/raddb/hints"
>>>>         with_ascend_hack =
>>>> no
>>>>         ascend_channels_per_line =
>>>> 23
>>>>         with_ntdomain_hack =
>>>> no
>>>>         with_specialix_jetstream_hack =
>>>> no
>>>>         with_cisco_vsa_hack =
>>>> no
>>>>         with_alvarion_vsa_hack =
>>>> no
>>>>
>>>> }
>>>>
>>>>  Module: Checking preacct {...} for more modules to
>>>> load
>>>>  Module: Linked to module
>>>> rlm_acct_unique
>>>>  Module: Instantiating acct_unique
>>>>   acct_unique {
>>>>         key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>>>> Client-IP-Address, NAS-Port"
>>>>   }
>>>>  Module: Checking accounting {...} for more modules to load
>>>>  Module: Linked to module rlm_detail
>>>>  Module: Instantiating detail
>>>>   detail {
>>>>         detailfile =
>>>> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>>>>         header = "%t"
>>>>         detailperm = 384
>>>>         dirperm = 493
>>>>         locking = no
>>>>         log_packet_header = no
>>>>   }
>>>>  Module: Instantiating attr_filter.accounting_response
>>>>   attr_filter attr_filter.accounting_response {
>>>>         attrsfile = "/etc/raddb/attrs.accounting_response"
>>>>         key = "%{User-Name}"
>>>>   }
>>>>  Module: Checking session {...} for more modules to load
>>>>  Module: Checking post-proxy {...} for more modules to load
>>>>  Module: Checking post-auth {...} for more modules to load
>>>>  }
>>>> radiusd: #### Opening IP addresses and Ports ####
>>>> listen {
>>>>         type = "auth"
>>>>         ipaddr = *
>>>>         port = 0
>>>> }
>>>> listen {
>>>>         type = "acct"
>>>>         ipaddr = *
>>>>         port = 0
>>>> }
>>>> Listening on authentication address * port 1812
>>>> Listening on accounting address * port 1813
>>>> Listening on proxy address * port 1814
>>>> Ready to process requests.
>>>> ^[[6~^[[6~
>>>>
>>>>
>>>> 2010/1/20 Devinder Singh <devinbhullar at gmail.com>
>>>>
>>>> Hi Ivan,
>>>>>
>>>>> I created the certificates basd on the README file in etc/raddb and
>>>>> copied ca.der and client.p12 to Windows XP
>>>>>
>>>>> I also also made changed to the Makefile which runs on XP but when i
>>>>> connect to the SSID i get authentication failde and the radius does not seem
>>>>> to get any response from the Proxim AP.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Devinder
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Devinder
>>>>
>>>
>>>
>>>
>>> --
>>> Devinder
>>>
>>
>>
>>
>> --
>> Devinder
>>
>
>
>
> --
> Devinder
>



-- 
Devinder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100121/a768d2d4/attachment.html>


More information about the Freeradius-Users mailing list