Generating a Microsoft compatible CSR for FreeRADIUS

Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Fri Jan 21 23:53:31 CET 2011


@ Brett
I do have tunneled replies enabled, I was able to find the cause of the TLS Error, I was using the wrong cert : ( typo on my part.
However after MUCH searching and calling of the experts, I am abandoning the public cert route because it is apparently impossible to have the windows clients auto configure without purchasing extra software, I will leave my true thoughts about this unspoken.
@ all
Thanks for all the assistance.
Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] On Behalf Of Brett Littrell
Sent: Friday, January 21, 2011 3:01 PM
To: FreeRadius users mailing list
Subject: RE: Generating a Microsoft compatible CSR for FreeRADIUS

Hi Jake,

    Have you tried enabling Tunnelled reply's on the freeradius server, believe it is in the eap.conf file?  Not exactly sure of your config or what you are doing but some of the data in the debug looks like ciphertext, which indicates to me that something is not decrypting the packets or does not know that the information it is getting is encrypted.

    I was seeing similar stuff on a debug on a Cisco switch I was configuring for dynamic vlan switching with Radius, turned out I had to enable tunneled replies for PEAP, eap worked just fine.


Brett Littrell
Network Manager
Milpitas Unified School District
blittrell at musd.org<mailto:blittrell at musd.org>
Ph# (408)635-2600 X6086
Fax# (408)635-2632



>>> On Friday, January 21, 2011 at 6:10 AM, in message <3A9815D880FBAF41A523B3A35AF3C3DF06B0D246 at AVATAR.umhb.edu<mailto:3A9815D880FBAF41A523B3A35AF3C3DF06B0D246 at AVATAR.umhb.edu>>, "Sallee, Stephen (Jake)" <Jake.Sallee at umhb.edu<mailto:Jake.Sallee at umhb.edu>> wrote:
Has anyone gotten windows clients to work WITHOUT having to do any manual config on the clients?

Is it even possible?

Also, I have my shiny new publicly signed cert from comodo but my clients are still rejecting the connection ... i think the error is here:

[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.

But I don't know why i would be getting a read error, the certs that i installed have the same permissions as the test certs...

here is the full debug, any help is appreciated:

FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Sep 28 2010 at 09:20:29
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/UMHB
including configuration file /usr/local/etc/raddb/sites-available/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/Cru
including configuration file /usr/local/etc/raddb/sites-available/default
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
    allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
    prefix = "/usr/local"
    localstatedir = "/usr/local/var"
    logdir = "/usr/local/var/log/radius"
    libdir = "/usr/local/lib"
    radacctdir = "/usr/local/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 25600
    pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
    checkrad = "/usr/local/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
}
security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
}
home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    require_message_authenticator = no
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
    irt = 2
    mrt = 16
    mrc = 5
    mrd = 30
}
home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
}
realm example.com {
    auth_pool = my_auth_failover
    nostrip
}
realm LOCAL {
}
realm Cru {
}
realm Cru.umhb.edu {
}
realm umhb {
}
realm umhb.edu {
}
radiusd: #### Loading Clients ####
client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    nastype = "other"
}
client 10.2.1.75/32 {
    require_message_authenticator = no
    secret = "Burg3rk1ng!"
    shortname = "PacketFence"
}
client 10.11.30.0/24 {
    require_message_authenticator = no
    secret = "Burg3rk1ng!"
    shortname = "Sanderford"
}
client 10.11.60.0/24 {
    require_message_authenticator = no
    secret = "Burg3rk1ng!"
    shortname = "Sanderford"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
  exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
  }
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
  mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = yes
    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm}  --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  }
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
  unix {
    radwtmp = "/usr/local/var/log/radius/radwtmp"
  }
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
  eap {
    default_eap_type = "peap"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 4096
  }
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    pem_file_type = yes
    private_key_file = "/usr/local/etc/raddb/certs/Production/myserver.key"
    certificate_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.crt"
    CA_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.ca-bundle"
    private_key_password = "Burg3rk1ng!"
    dh_file = "/usr/local/etc/raddb/certs/Production/dh"
    random_file = "/usr/local/etc/raddb/certs/Production/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    cipher_list = "DEFAULT"
    make_cert_command = "/usr/local/etc/raddb/certs/Production/bootstrap"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
   }
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
   ttls {
    default_eap_type = "md5"
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    virtual_server = "inner-tunnel"
    include_length = yes
   }
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
   peap {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
   }
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
   }
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
  realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = no
  }
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
  files {
    usersfile = "/usr/local/etc/raddb/users"
    acctusersfile = "/usr/local/etc/raddb/acct_users"
    preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
    compat = "no"
  }
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file /usr/local/etc/raddb/modules/perl
  perl {
    module = "/usr/local/etc/raddb/packetfence.pm"
    func_authorize = "authorize"
    func_authenticate = "authenticate"
    func_accounting = "accounting"
    func_preacct = "preacct"
    func_checksimul = "checksimul"
    func_detach = "detach"
    func_xlat = "xlat"
    func_pre_proxy = "pre_proxy"
    func_post_proxy = "post_proxy"
    func_post_auth = "post_auth"
    func_recv_coa = "recv_coa"
    func_send_coa = "send_coa"
  }
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
  radutmp {
    filename = "/usr/local/var/log/radius/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    perm = 384
    callerid = yes
  }
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
    attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
    key = "%{User-Name}"
  }
} # modules
} # server
server UMHB { # from file /usr/local/etc/raddb/sites-enabled/UMHB
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
  preprocess {
    huntgroups = "/usr/local/etc/raddb/huntgroups"
    hints = "/usr/local/etc/raddb/hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = no
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
  }
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
  acct_unique {
    key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
  detail {
    detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
    attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
    key = "%{User-Name}"
  }
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server Cru { # from file /usr/local/etc/raddb/sites-enabled/Cru
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = *
    port = 0
}
listen {
    type = "acct"
    ipaddr = *
    port = 0
}
listen {
    type = "control"
listen {
    socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
======================================================
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=226, length=193
    User-Name = "host/Lappy.umhb.edu"
    NAS-IP-Address = 10.11.60.2
    NAS-Port = 129
    Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
    Calling-Station-Id = "C4-17-FE-33-C6-A7"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
    EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475
    Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 24
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = C4-17-FE-33-C6-A7
rlm_perl: Added pair Called-Station-Id = 00-0F-7D-05-0E-81:UMHB Secure WiFi
rlm_perl: Added pair Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801
rlm_perl: Added pair User-Name = host/Lappy.umhb.edu
rlm_perl: Added pair EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475
rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/1Mbps 802.11b
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.11.60.2
rlm_perl: Added pair NAS-Port = 129
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 226 to 10.11.60.2 port 32777
    EAP-Message = 0x010200061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x330f4dc9330d546872b9f993281128fc
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=227, length=315
    User-Name = "host/Lappy.umhb.edu"
    NAS-IP-Address = 10.11.60.2
    NAS-Port = 129
    Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
    Calling-Station-Id = "C4-17-FE-33-C6-A7"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
    EAP-Message = 0x0202008019800000007616030100710100006d03014d39919676cd85f8dcfe3f2afef335ec7a98b2eb9095d964891b3484c06fc78e000018002f00350005000ac013c014c009c00a00320038001300040100002cff0100010000000013001100000e6c617070792e756d68622e656475000a0006000400170018000b00020100
    State = 0x330f4dc9330d546872b9f993281128fc
    Message-Authenticator = 0x9165fc9281fe451bdcf9db8487dd8e79
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 118
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0071], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0ad8], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 227 to 10.11.60.2 port 32777
    EAP-Message = 0x0103040019c000000b1c16030100310200002d03014d399195fd2d232a53dfee5dce680c057cfc54fe9686405232871c57112f6efa00002f000005ff010001001603010ad80b000ad4000ad10005cb308205c7308204afa003020102021012949e4e96f5c2b15c9a16c71c4cc811300d06092a864886f70d0101050500308189310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e63652053656375
    EAP-Message = 0x726520536572766572204341301e170d3130303831393030303030305a170d3135303831393233353935395a3081db310b3009060355040613025553310e300c060355041113053736353133310b3009060355040813025458310f300d0603550407130642656c746f6e311e301c06035504091315554d48422053746174696f6e20426f782038303035311b30190603550409131239303020436f6c6c6567652053747265657431293027060355040a1320556e6976657273697479206f66204d6172792048617264696e2d4261796c6f723121301f060355040b1318506c6174696e756d53534c205347432057696c64636172643113301106035504
    EAP-Message = 0x03140a2a2e756d68622e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100dc8dbc42609826a3a26f48356951f40c4bf97815080528e6445fc6f8e9dfe2d260b1f3202c3e418654e8da0499ea4830c6ef7e1a5525575f1f70e0fe795af97b3774896016f3d275f8e27478e8b49ac8e03122822a72df6c6d4c988ffd456672849e9b62bd1e62f5bf1d24228190e3ca3153391cdd8797a685faaa35446f2dc33d64c4dbd310200ead4d58b2c3de92cf086b1de8a16a8f005feb688574c9cafe87bf878a9d2427ab8f273e533016a63ba4f8addfd6c9f2211052ee9e96e58e3b5e5d9c106e17c47d83a8e0216bf7dc
    EAP-Message = 0xd1174db8f8a566c3448912b2dd88413518c160c52b92ee57d46bff425ddd7ae381ad9b66e9448c485322fcff4d13c25e7b0203010001a38201d5308201d1301f0603551d230418301680143fd5b5d0d64479504a17a39b8c4adcb8b022646b301d0603551d0e0416041414a0d258941febc0b7d8a8b40c94615afa260bd4300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030106082b06010505070302060a2b0601040182370a030306096086480186f842040130460603551d20043f303d303b060c2b06010401b2310102010304302b302906082b06010505070201161d
    EAP-Message = 0x68747470733a2f2f73656375
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x330f4dc9320c546872b9f993281128fc
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=228, length=193
    User-Name = "host/Lappy.umhb.edu"
    NAS-IP-Address = 10.11.60.2
    NAS-Port = 129
    Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
    Calling-Station-Id = "C4-17-FE-33-C6-A7"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
    EAP-Message = 0x020300061900
    State = 0x330f4dc9320c546872b9f993281128fc
    Message-Authenticator = 0x735474693c2ad02c4b885b94ea32aad5
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 228 to 10.11.60.2 port 32777
    EAP-Message = 0x010403fc194072652e636f6d6f646f2e636f6d2f435053304f0603551d1f044830463044a042a040863e687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e63726c30818006082b0601050507010104743072304a06082b06010505073002863e687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d301f0603551d1104183016820a2a2e756d68
    EAP-Message = 0x622e6564758208756d68622e656475300d06092a864886f70d010105050003820101003fc66065745e65bd58ad5b11aff73555ce334a1fa9b4329d126e4cf335956d58485ed85ec47fff9d8abb5e903319ec7a53384059f3b7c7a23638a843d56e38bf98d0a2cb1c21fc9de26e2cbeb25c855dd196304b6772c3d80da0cce7c8f14f969c375b4f72e729d1422f86114ae73824a06269fb092c6644d0a12997f72071c234a6354b7cbccf4c4887eee1a79dc8f4ee70e32f2aa1a97e0b1c1e8f9d016bffd1f4f6e90a478a89224190d6626787c20285398e54a521ad2faa65b0cf6813b1aa8cfba7ab8c997f9139e01040dd4af899604318f5a2167ce53c
    EAP-Message = 0x937c7e72ae0becce9621763408bc6467b4bf05f59a3fd5752c181d52aff7d71026296804930b000500308204fc308203e4a00302010202101690c329b6780607511f05b0344846cb300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3130303431363030303030305a170d3230303533303130343833385a308189310b3009060355040613024742311b301906
    EAP-Message = 0x03550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e6365205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e787dac077e4bb3afa6a24c88041acd21613153dfaf7f82a76dca82d3908ce484abe0f7df0debabb47d5bd2dd71bab0f2081230872b1c011950de6eaa987ffc76e1e4f6632ba53bc05aa1c2c0cef4d37476b100cdbc5a0987e58db37d6aee906bdd7a865f3
    EAP-Message = 0x37b9c76dce77c726
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x330f4dc9310b546872b9f993281128fc
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=229, length=193
    User-Name = "host/Lappy.umhb.edu"
    NAS-IP-Address = 10.11.60.2
    NAS-Port = 129
    Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
    Calling-Station-Id = "C4-17-FE-33-C6-A7"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
    EAP-Message = 0x020400061900
    State = 0x330f4dc9310b546872b9f993281128fc
    Message-Authenticator = 0x61212145984f95fcd4339ef828985296
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 229 to 10.11.60.2 port 32777
    EAP-Message = 0x010503361900e0d7741fa69816bb0c6bc8be77d0ef58a729a0b9b8690536cbb2da58a30b75ad3d8b2282203e7086991cb94fcf77a4071a2363d1385684ecbf8fc54ef418969b1ae893ec8daf159c24f05a3be80fb9a85a01d3b21c60c99c5204dd92a7fe0cace2458d0361bc79e0772e87413c585fcbf5c577f258c84d28d09afaf37309246874bc204cd82cb0aae8d94e6df28c24d3935d910203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604143fd5b5d0d64479504a17a39b8c4adcb8b022646b300e0603551d0f0101ff04040302010630120603551d13
    EAP-Message = 0x0101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274302506082b060105
    EAP-Message = 0x050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d0101050500038201010013851f528018c953f7fe2e1aafccd90b3cc2d3858110f0288db9407e2c9e8fd636860a4c142dd69743924119374b969eeba930791295b3023657ed2bb91d981aa3180a3f9b398bcda149294c2ff9d0958cc84d95baa843cf33aa252a5a0eaa27c94e6bb1e6731fb37404c3f34ce2a8eb67b75db808051a569a542985f5294e803b95d07b53961156c102d3eab27fca8f9c704a148d5ab9166075d6cd271e16cd5b338e7940cf2848e7dc71164e749175b92a8cf170ac26dd04b940c285de1c9340d0cc6ec39baaef6065
    EAP-Message = 0xdf6022f05aa57aa22fe47073ee3cd4262b6807c1207ae8985a3e7b9f028b62c085818060357ea51d0cd29cdf62450ddbfc37fbf5252216030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x330f4dc9300a546872b9f993281128fc
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=230, length=525
    User-Name = "host/Lappy.umhb.edu"
    NAS-IP-Address = 10.11.60.2
    NAS-Port = 129
    Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
    Calling-Station-Id = "C4-17-FE-33-C6-A7"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
    EAP-Message = 0x020501501980000001461603010106100001020100d39af533c76344574a1afcff8cf5711ac18414345e29b157f02d808735c6214f74e1701e2163b79beaf3e584d3b7b1d6ef308efd0d1f6ca4f9d64ebe55229852a91e97de906b67813e0bd504510f7d5f80a0b083349314274566ce4ff387c95b4c82fc18b5abfda9feb7f893fe9bebe3572dfa2f5c4fe71abc08d95b10c88d4634ea8bdb9e2e946ec4f165c99deeffdee5a075cab3c1390b71713a5b7f2b77c5c1b0aeef836bfeda5840941c675bd32d04bc7d09017b5763310b4adb16a43833559624612363ea18f63e5e654ad1b255fb2ced330453a06516aabbb6550e5a409286363cef5e7661
    EAP-Message = 0x1163bb4e662da80dabf30e1455b1be69bd55c68de35bcb7d1403010001011603010030f378c58fc4f96e96bf4aba29aa08962242ce0e3007898a99849af855f11f5116f7ecea3850db2d6561b4599c404e627a
    State = 0x330f4dc9300a546872b9f993281128fc
    Message-Authenticator = 0x06d78d3c33e3d757129782abcb1d3133
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 230 to 10.11.60.2 port 32777
    EAP-Message = 0x010600411900140301000101160301003005369ff6b06a4224824062f6fcfe0092357c4da2fd59baab8c1c5b071e939e71e83b578bd081ee5fa8d3ac3566b8a1bd
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x330f4dc93709546872b9f993281128fc
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=231, length=234
    User-Name = "host/Lappy.umhb.edu"
    NAS-IP-Address = 10.11.60.2
    NAS-Port = 129
    Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
    Calling-Station-Id = "C4-17-FE-33-C6-A7"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
    EAP-Message = 0x0206002f198000000025150301002071521862587c6d52360e98091cd5d99f81ea6febe82fd2a7401f8b1970c3cf65
    State = 0x330f4dc93709546872b9f993281128fc
    Message-Authenticator = 0xe0cebdb5cdcd98a378bd88f15213b843
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 47
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 37
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state ?
[peap] FAILED processing PEAP: Tunneled data is invalid.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> host/Lappy.umhb.edu
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 231 to 10.11.60.2 port 32777
    EAP-Message = 0x04060004
    Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 226 with timestamp +18
Cleaning up request 1 ID 227 with timestamp +18
Cleaning up request 2 ID 228 with timestamp +18
Cleaning up request 3 ID 229 with timestamp +18
Cleaning up request 4 ID 230 with timestamp +18
Waking up in 1.0 seconds.
Cleaning up request 5 ID 231 with timestamp +18
Ready to process requests.


Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] on behalf of Peter Lambrechtsen [plambrechtsen at gmail.com]
Sent: Friday, January 21, 2011 7:11 AM
To: FreeRadius users mailing list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS

On Fri, Jan 21, 2011 at 10:33 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk<mailto:A.L.M.Buxey at lboro.ac.uk<mailto:A.L.M.Buxey at lboro.ac.uk%3cmailto:A.L.M.Buxey at lboro.ac.uk>>> wrote:
>    2) Issuing client certs isn't that difficult.? with windows vista/7,
>    installing a cert is a simple double-click operation, so if they have a
>    usb flash, you can use linux to zip a copy of their private key and a .doc
>    with instructions (including screenies!) on configuring their OS in a
>    matter of seconds, all they have to do is stop by IT to request a key
>    once, and it's good for as long as you honour it.

if dealing with client keys - most of the times its just PEAP with user/pass
and its the CA thats an issue.  even then there are ways of doing this quite
easily... eg https://su1x.sf.net

I also quite like using the root certificates tool which happily imports certificates into the root certificate store in windows.

Go to here: http://support.microsoft.com/kb/931125

Download the "rootsupd.exe<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe>" from there and expand it with winzip or winrar.

Then convert your DER file into a P7B using OpenSSL:

openssl crl2pkcs7 -nocrl -certfile internalca1.der -certfile internalca2.der -out internalca.p7b

Then use "updroots.exe" included in the exe to import the certificate into your local certificate chain:

updroots -l internalca.p7b

And you're done

You can even use "iexpress" if you're running windows XP to re-package everything back into a self extracting exe.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110121/a949f68e/attachment.html>


More information about the Freeradius-Users mailing list