Ttys/pap and Active Directory

Клеусов Владимир Сергеевич Kleusov.Vladimir at wildberries.ru
Thu Jul 9 20:17:37 CEST 2020


Did I understand the procedure correctly ?
1) In the eap module we specify the root certificate
2) Creating client certificates and signing with this root certificate
3) On the windows client we add our root certificate to trusted root certificates
4) On the Windows client we add the generated client certificates to the trusted personal certificates
If this is true, does tttls/pap require certificates on the server and client ? I thought tttls/pap only requires certifications on the server 

> 9 июля 2020 г., в 16:48, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> написал(а):
> 
> Yes. That is all. Don't like certificate_file= , which is in the eap module ? It's self-signed. Then I will try to add the windows version to the trusted ones.If it doesn't work out.I will issue a valid certificate. Thanks. I'll write about the results later.
> 
>> 9 июля 2020 г., в 16:17, Alan DeKok <aland at deployingradius.com> написал(а):
>> 
>> On Jul 9, 2020, at 9:13 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> 
>>> Thanks for http://wiki.freeradius.org/list-help
>>> I hope I sent debug correctly
>>> Debug output
>>> ...
>>> (3)     [eap-client] = handled
>>> (3)   } # authenticate = handled
>>> (3) Using Post-Auth-Type Challenge
>>> (3) Post-Auth-Type sub-section not found.  Ignoring.
>>> (3) # Executing group from file /etc/freeradius/sites-enabled/default
>>> (3) session-state: Saving cached attributes
>>> (3)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>>> (3)   TLS-Session-Version = "TLS 1.2"
>>> (3) Sent Access-Challenge Id 131 from 10.42.2.128:1812 to 10.99.205.184:55719 length 0
>>> (3)   EAP-Message = 0x0105003d15800000003314030300010116030300285f7d126dd63c79758f16821fd74acb7dfe9c81039c98eb635eaa0d5d7d7de30b91d4963396290799
>>> (3)   Message-Authenticator = 0x00000000000000000000000000000000
>>> (3)   State = 0x800be644830ef39b9c89798185b75a0d
>>> (3) Finished request
>>> Waking up in 4.9 seconds.
>> 
>> And.... then what?  This doesn't show a full authentication which ends in Access-Accept.
>> 
>> If it stops here, then the client doesn't like the server certificate.  And this has nothing to do with LDAP.
>> 
>> Alan DeKok.
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list