EAP-TLS with Ldap

Usuário do Sistema maiconlp at ig.com.br
Sat Mar 12 21:52:24 CET 2011 

Thank Guy, but where I configure ( what file ?)  in freeRadius to use NT-LM
when it to query server ldap  ??


thank



2011/3/12 Guy <guy at britewhite.net>

>
>
> ---Guy
>
> Sent from my iPad
>
> On 12 Mar 2011, at 20:06, Usuário do Sistema <maiconlp at ig.com.br> wrote:
>
>   Hello, I'm new at the Freeradius and I'm deploying it with EAP-TLS to
> authenticate my Wireless users which will be authenticated against a
> OpenLDAP base.
>
>
> I'm using freeradius2 and when I make a test from other linux machine with
> command "radtest joao.vero jango123 128.2.100.131 2 meleca" it's working as
> follow out
>
> Sending Access-Request of id 45 to 128.2.100.131 port 1645
>         User-Name = "joao.vero"
>         User-Password = "jango123"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 2
> rad_recv: Access-Accept packet from host 128.2.100.131:1645, id=45,
> length=20
>
> But, when I'm going  to authenticate wireless users from Win7 ( with
> EAP-TLS, I'm using the test certificate from /etc/raddb/certs/..) It isn't
> working. it's appear in log:
>
> TLS Alert read:fatal:unknown CA
>     TLS_accept:failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> TLS receive handshake failed during operation
>
> What I did until at the moment in ralation EAP-TLS:
>
> I've configured the eap.conf file to read the certificates from
> /etc/raddb/certs/...
> I've create the user certificate ( as shows README in /etc/raddb/certs )
> I've copied and installed two certificates to user machine: cliente.p12 and
> ca.der. the first as personal and the last as Trusted Root
> Certification Authorities
>
> I wish to use LDAP for authenticate my users but seems that User-Password
> must be Clear text. there is possible reach EAP-TLS with LDAP??
>
> What I have do ??
>
> any help is welcome
>
> Thank!
>
>
>
>  -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> You have an issue with the cert, the cert the client is sending back is not
> recognised by free radius..
>
> As for authenticating you can do this without clear text but you'll need to
> use NT-LM. With which you use samba to create NTSambaPassword in the LDAP
> database which it can auth with.
>
> You will likely have to extend the schema for your LDAP server.. Though
> that's quite well documented for adding in Samba support.
>
> Thanks
>
> --Guy
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110312/c36222c8/attachment.html>

More information about the Freeradius-Users mailing list