EAP-TLS with Ldap

Guy guy at britewhite.net
Sat Mar 12 21:25:00 CET 2011 


---Guy

Sent from my iPad

On 12 Mar 2011, at 20:06, Usuário do Sistema <maiconlp at ig.com.br> wrote:

> Hello, I'm new at the Freeradius and I'm deploying it with EAP-TLS to authenticate my Wireless users which will be authenticated against a OpenLDAP base.
>  
>  
> I'm using freeradius2 and when I make a test from other linux machine with command "radtest joao.vero jango123 128.2.100.131 2 meleca" it's working as follow out 
>  
> Sending Access-Request of id 45 to 128.2.100.131 port 1645
>         User-Name = "joao.vero"
>         User-Password = "jango123"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 2
> rad_recv: Access-Accept packet from host 128.2.100.131:1645, id=45, length=20
>  
> But, when I'm going  to authenticate wireless users from Win7 ( with EAP-TLS, I'm using the test certificate from /etc/raddb/certs/..) It isn't working. it's appear in log:
>  
> TLS Alert read:fatal:unknown CA
>     TLS_accept:failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> TLS receive handshake failed during operation
>  
> What I did until at the moment in ralation EAP-TLS:
>  
> I've configured the eap.conf file to read the certificates from /etc/raddb/certs/...
> I've create the user certificate ( as shows README in /etc/raddb/certs )
> I've copied and installed two certificates to user machine: cliente.p12 and ca.der. the first as personal and the last as Trusted Root Certification Authorities
>  
> I wish to use LDAP for authenticate my users but seems that User-Password must be Clear text. there is possible reach EAP-TLS with LDAP??
>  
> What I have do ??
>  
> any help is welcome
>  
> Thank!
>  
>  
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

You have an issue with the cert, the cert the client is sending back is not recognised by free radius..

As for authenticating you can do this without clear text but you'll need to use NT-LM. With which you use samba to create NTSambaPassword in the LDAP database which it can auth with.

You will likely have to extend the schema for your LDAP server.. Though that's quite well documented for adding in Samba support.

Thanks 

--Guy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110312/f3a3369c/attachment.html>

More information about the Freeradius-Users mailing list