Hi Alan, Thanks mate for U'r reply. I have following parameters in radiusd.conf...
$INCLUDE ${confdir}/sqlcounter.conf authorize { preprocess # auth_log # attr_filter chap mschap # digest # IPASS suffix eap files sql # etc_smbpasswd # ldap noresetcounter dailycounter monthlycounter } # Accounting. Log the accounting data. # accounting { acct_unique detail daily unix radutmp # sradutmp # main_pool sql } session { radutmp sql } radiusd -Xp 1645 returns .... -------------------------------------------------------------- sqlcounter: counter-name = "Daily-Session-Time" sqlcounter: check-name = "Max-Daily-Session" sqlcounter: key = "User-Name" sqlcounter: sqlmod-inst = "sql" sqlcounter: query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM rada cct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" sqlcounter: reset = "daily" rlm_sqlcounter: Counter attribute Daily-Session-Time is number 1673 rlm_sqlcounter: Check attribute Max-Daily-Session is number 1674 rlm_sqlcounter: Current Time: 1080035841 [2004-03-23 09:57:21], Next reset 1080086400 [2004-03-24 00:00:00] rlm_sqlcounter: Current Time: 1080035841 [2004-03-23 09:57:21], Prev reset 1080000000 [2004-03-23 00:00:00] Module: Instantiated sqlcounter (dailycounter) -------------------------------------------------------------- It does set Daily,Monthly counter but doesn't update Mysql Table stats... that worries me. Regards, Sagar -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 March 2004 19:42 To: [EMAIL PROTECTED] Subject: Freeradius-Users digest, Vol 1 #3023 - 3 msgs Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: SQLCOUNTER Problems (Alan DeKok) 2. RE: Using freeradius to authenticate users to a Windows 2000 AD (Steve OBrien) 3. RE: Using freeradius to authenticate users to a Windows 2000 AD (Steve OBrien) --__--__-- Message: 1 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: SQLCOUNTER Problems Date: Mon, 22 Mar 2004 14:00:23 -0500 Reply-To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > After compiling RLM_SQLCOUNTER with FreeRadius .. I still can't see > radius trying to update usage statistics in MYSQL tables. > I read doc/rlm_sqlcounter and thought whenever user uses any minutes out > of allocated values RLM_COUNTER will change statistics by calculating : > (Allocated time - Used time)=3D Remaining time.=20 > Am I right here? Any help will be appreciated.... Just listing "sqlcounter" in the "modules" section won't do anything. You've got to tell the server WHEN to use it. List it in the "accounting" and "authorize" sections, too. Alan DeKok. --__--__-- Message: 2 To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD From: Steve OBrien <[EMAIL PROTECTED]> Date: Mon, 22 Mar 2004 11:36:15 -0800 Reply-To: [EMAIL PROTECTED] This is a multipart message in MIME format. --=_alternative 006BCA0F88256E5F_= Content-Type: text/plain; charset="US-ASCII" OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse. But with ldapbrowse I am getting "CA certificate is not in server certificate chain." So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select "Retrieve the CA certificate or CRL" radio button? "Tarun Bhushan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To <[EMAIL PROTECTED]> cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from "non-Windows-native" clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun ===================== Doc - is a sample session ============================ C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts" Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts" Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: <date> until: <date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Tools\ldapbrowser\lbecacerts" Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 6 entries 1049851423488, 9/04/2003, trustedCertEntry, Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72 1042686583627, 16/01/2003, trustedCertEntry, Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D 1047532540747, 13/03/2003, trustedCertEntry, Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0 1042609942072, 15/01/2003, trustedCertEntry, Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14 1046156863186, 25/02/2003, trustedCertEntry, Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A 1042179593031, 10/01/2003, trustedCertEntry, Certificate fingerprint (MD5): A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91 C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Tools\ldapbrowser\lbecacerts" Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: <date> until: <date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Tools\ldapbrowser\lbecacerts] ============================ End Doc ================================== -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Sunday, 21 March 2004 12:28 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK I got that problem fixed on the windows side. Now I am getting an immediate access-reject here is the debug: <snip> NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --=_alternative 006BCA0F88256E5F_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse. But with ldapbrowse I am getting "CA certificate is not in server certificate chain." So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select "Retrieve the CA certificate or CRL" radio button?</font> <br><font size=2 face="sans-serif"><br> </font> <br> <br> <br> <table width=100%> <tr valign=top> <td width=40%><font size=1 face="sans-serif"><b>"Tarun Bhushan" <[EMAIL PROTECTED]></b> </font> <br><font size=1 face="sans-serif">Sent by: [EMAIL PROTECTED]</font> <p><font size=1 face="sans-serif">03/21/2004 04:56 PM</font> <table border> <tr valign=top> <td bgcolor=white> <div align=center><font size=1 face="sans-serif">Please respond to<br> [EMAIL PROTECTED]</font></div></table> <br> <td width=59%> <table width=100%> <tr> <td> <div align=right><font size=1 face="sans-serif">To</font></div> <td valign=top><font size=1 face="sans-serif"><[EMAIL PROTECTED]></font> <tr> <td> <div align=right><font size=1 face="sans-serif">cc</font></div> <td valign=top> <tr> <td> <div align=right><font size=1 face="sans-serif">Subject</font></div> <td valign=top><font size=1 face="sans-serif">RE: Using freeradius to authenticate users to a Windows 2000 AD</font></table> <br> <table> <tr valign=top> <td> <td></table> <br></table> <br> <br> <br><font size=2><tt>Steve<br> <br> Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from "non-Windows-native" clients works with LDAPS.<br> <br> Once that works, you can then go on from there.<br> <br> Regards<br> Tarun<br> <br> ===================== Doc - is a sample session ============================<br> <br> C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts"<br> Enter keystore password: changeit<br> <br> Keystore type: jks<br> Keystore provider: SUN<br> <br> Your keystore contains 15 entries<br> <br> thawtepersonalfreemailca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9<br> baltimorecodesigningca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22<br> thawtepersonalbasicca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41<br> gtecybertrustglobalca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB<br> verisignclass3ca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D<br> thawteserverca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D<br> thawtepersonalpremiumca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D<br> verisignclass4ca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10<br> baltimorecybertrustca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4<br> verisignclass1ca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20<br> verisignserverca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93<br> thawtepremiumserverca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A<br> gtecybertrustca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58<br> gtecybertrust5ca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E<br> verisignclass2ca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8<br> <br> C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts"<br> Enter keystore password: changeit<br> Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]<br> Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]<br> Serial number: something<br> Valid from: <date> until: <date)<br> Certificate fingerprints:<br> MD5: something<br> SHA1: something<br> Trust this certificate? [no]: yes<br> Certificate was added to keystore<br> [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts]<br> <br> C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Tools\ldapbrowser\lbecacerts"<br> Enter keystore password: changeit<br> <br> Keystore type: jks<br> Keystore provider: SUN<br> <br> Your keystore contains 6 entries<br> <br> 1049851423488, 9/04/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72<br> 1042686583627, 16/01/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D<br> 1047532540747, 13/03/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0<br> 1042609942072, 15/01/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14<br> 1046156863186, 25/02/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A<br> 1042179593031, 10/01/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91<br> <br> C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Tools\ldapbrowser\lbecacerts"<br> Enter keystore password: changeit<br> Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]<br> Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]<br> Serial number: something<br> Valid from: <date> until: <date)<br> Certificate fingerprints:<br> MD5: something<br> SHA1: something<br> Trust this certificate? [no]: yes<br> Certificate was added to keystore<br> [Saving C:\Tools\ldapbrowser\lbecacerts]<br> <br> ============================ End Doc ==================================<br> <br> -----Original Message-----<br> From: Steve OBrien [mailto:[EMAIL PROTECTED]<br> Sent: Sunday, 21 March 2004 12:28 PM<br> To: [EMAIL PROTECTED]<br> Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD<br> <br> <br> OK I got that problem fixed on the windows side. Now I am getting an immediate access-reject here is the debug: <br> <br> <snip><br> <br> <br> NOTICE<br> This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank.<br> <br> <br> - <br> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br> </tt></font> <br> --=_alternative 006BCA0F88256E5F_=-- --__--__-- Message: 3 To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD From: Steve OBrien <[EMAIL PROTECTED]> Date: Mon, 22 Mar 2004 11:40:46 -0800 Reply-To: [EMAIL PROTECTED] This is a multipart message in MIME format. --=_alternative 006C33A488256E5F_= Content-Type: text/plain; charset="US-ASCII" Would it also matter if my certificate was self-signed as we do not have a need for a third party signed certificate at this time. Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 "Tarun Bhushan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To <[EMAIL PROTECTED]> cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from "non-Windows-native" clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun ===================== Doc - is a sample session ============================ C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts" Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts" Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: <date> until: <date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Tools\ldapbrowser\lbecacerts" Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 6 entries 1049851423488, 9/04/2003, trustedCertEntry, Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72 1042686583627, 16/01/2003, trustedCertEntry, Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D 1047532540747, 13/03/2003, trustedCertEntry, Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0 1042609942072, 15/01/2003, trustedCertEntry, Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14 1046156863186, 25/02/2003, trustedCertEntry, Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A 1042179593031, 10/01/2003, trustedCertEntry, Certificate fingerprint (MD5): A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91 C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Tools\ldapbrowser\lbecacerts" Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: <date> until: <date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Tools\ldapbrowser\lbecacerts] ============================ End Doc ================================== -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Sunday, 21 March 2004 12:28 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK I got that problem fixed on the windows side. Now I am getting an immediate access-reject here is the debug: <snip> NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --=_alternative 006C33A488256E5F_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">Would it also matter if my certificate was self-signed as we do not have a need for a third party signed certificate at this time.</font> <br><font size=2 face="sans-serif"><br> Steve O'Brien<br> City of Bend<br> Network Administrator<br> [EMAIL PROTECTED]<br> 541-322-6393</font> <br> <br> <br> <table width=100%> <tr valign=top> <td width=40%><font size=1 face="sans-serif"><b>"Tarun Bhushan" <[EMAIL PROTECTED]></b> </font> <br><font size=1 face="sans-serif">Sent by: [EMAIL PROTECTED]</font> <p><font size=1 face="sans-serif">03/21/2004 04:56 PM</font> <table border> <tr valign=top> <td bgcolor=white> <div align=center><font size=1 face="sans-serif">Please respond to<br> [EMAIL PROTECTED]</font></div></table> <br> <td width=59%> <table width=100%> <tr> <td> <div align=right><font size=1 face="sans-serif">To</font></div> <td valign=top><font size=1 face="sans-serif"><[EMAIL PROTECTED]></font> <tr> <td> <div align=right><font size=1 face="sans-serif">cc</font></div> <td valign=top> <tr> <td> <div align=right><font size=1 face="sans-serif">Subject</font></div> <td valign=top><font size=1 face="sans-serif">RE: Using freeradius to authenticate users to a Windows 2000 AD</font></table> <br> <table> <tr valign=top> <td> <td></table> <br></table> <br> <br> <br><font size=2><tt>Steve<br> <br> Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from "non-Windows-native" clients works with LDAPS.<br> <br> Once that works, you can then go on from there.<br> <br> Regards<br> Tarun<br> <br> ===================== Doc - is a sample session ============================<br> <br> C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts"<br> Enter keystore password: changeit<br> <br> Keystore type: jks<br> Keystore provider: SUN<br> <br> Your keystore contains 15 entries<br> <br> thawtepersonalfreemailca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9<br> baltimorecodesigningca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22<br> thawtepersonalbasicca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41<br> gtecybertrustglobalca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB<br> verisignclass3ca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D<br> thawteserverca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D<br> thawtepersonalpremiumca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D<br> verisignclass4ca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10<br> baltimorecybertrustca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4<br> verisignclass1ca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20<br> verisignserverca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93<br> thawtepremiumserverca, 12/02/1999, trustedCertEntry,<br> Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A<br> gtecybertrustca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58<br> gtecybertrust5ca, 10/05/2002, trustedCertEntry,<br> Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E<br> verisignclass2ca, 29/06/1998, trustedCertEntry,<br> Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8<br> <br> C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts"<br> Enter keystore password: changeit<br> Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]<br> Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]<br> Serial number: something<br> Valid from: <date> until: <date)<br> Certificate fingerprints:<br> MD5: something<br> SHA1: something<br> Trust this certificate? [no]: yes<br> Certificate was added to keystore<br> [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts]<br> <br> C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Tools\ldapbrowser\lbecacerts"<br> Enter keystore password: changeit<br> <br> Keystore type: jks<br> Keystore provider: SUN<br> <br> Your keystore contains 6 entries<br> <br> 1049851423488, 9/04/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72<br> 1042686583627, 16/01/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D<br> 1047532540747, 13/03/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0<br> 1042609942072, 15/01/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14<br> 1046156863186, 25/02/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A<br> 1042179593031, 10/01/2003, trustedCertEntry,<br> Certificate fingerprint (MD5): A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91<br> <br> C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Tools\ldapbrowser\lbecacerts"<br> Enter keystore password: changeit<br> Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]<br> Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]<br> Serial number: something<br> Valid from: <date> until: <date)<br> Certificate fingerprints:<br> MD5: something<br> SHA1: something<br> Trust this certificate? [no]: yes<br> Certificate was added to keystore<br> [Saving C:\Tools\ldapbrowser\lbecacerts]<br> <br> ============================ End Doc ==================================<br> <br> -----Original Message-----<br> From: Steve OBrien [mailto:[EMAIL PROTECTED]<br> Sent: Sunday, 21 March 2004 12:28 PM<br> To: [EMAIL PROTECTED]<br> Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD<br> <br> <br> OK I got that problem fixed on the windows side. Now I am getting an immediate access-reject here is the debug: <br> <br> <snip><br> <br> <br> NOTICE<br> This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank.<br> <br> <br> - <br> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br> </tt></font> <br> --=_alternative 006C33A488256E5F_=-- --__--__-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html