I can't go through this riow. Perhaps later this evening. Anything wrong with using provided and tested CA.all script? Or you just like things complicated? At first glance you are using cacert as a root certificate instead of creating one.
Ivan Kalik Kalik Informatika ISP Dana 2/10/2007, "Sergio Belkin" <[EMAIL PROTECTED]> piše: >2007/10/1, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: >> Yes. This is still the certificate problem. You haven't got to the >> password check yet. Chack that you have imported the correct >> certificates (as per previous post). >> >> Ivan Kalik >> Kalik Informatika ISP > >It's a bit strange, I think that I created and imported it well. I did so: > >cd /usr/local/etc/raddb > >/etc/pki/tls/misc/CA -newca > >openssl req -new -nodes -keyout privadaradius.pem -out >pedidoradius.pem -days 730 -config /etc/pki/tls/openssl.cnf > >openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything >-out publicaradius.pem -extensions xpserver_ext -extfile >/etc/pki/tls/xpextensions -infiles pedidoradius.pem > >I edited publicaradius.pem in order to delete lines above "BEGIN >CERTIFICATE" and joined with key file. previously I backuped >certificate file: > >cp publicaradius.pem publicaradius.pem.bkp > >cat privadaradius.pem publicaradius.pem > privandpubradius.pem > >DH file creation: > >openssl dhparam -check -text -5 512 -out dh > >Random file: > >dd if=/dev/urandom of=random count=2 > >Then I copied cacert.pem to pendrive and imported in Windows as >Trusted Certificate in mmc. OK, you can say pem is not the right >format, ok, I've created the der file: > > openssl x509 -inform PEM -outform DER -in CA/cacert.pem -out CA/cacert.der > >Ok, you say, der is not the format but p12 is, so: > >openssl pkcs12 -export -in certs/CA/cacert.pem -inkey >certs/CA/private/cakey.pem -out certs/CA/cacert.p12 -clcerts > >In each case I imported the certificate but never worked :( > >What's wrong about all of this? > >Thanks in advance > >> >> >> Dana 1/10/2007, "Sergio Belkin" <[EMAIL PROTECTED]> pie: >> >> >2007/10/1, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: >> >> Because conversation hasn't got to password checking. Probably, since >> >> this debug doesn't mean much to me. >> >> >> >> Ivan Kalik >> >> Kalik Informatika ISP >> > >> >These are Debug messages (using a wrong password) >> > >> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=66, length=98 >> > User-Name = "test" >> > Calling-Station-Id = "00-0e-35-bf-51-18" >> > EAP-Message = 0x020100090174657374 >> > Framed-MTU = 1287 >> > NAS-IP-Address = 192.168.1.1 >> > NAS-Port = 0 >> > NAS-Port-Type = Wireless-802.11 >> > Message-Authenticator = 0xb8d1b41830e1a2edc1ecf677b3936c68 >> > Processing the authorize section of radiusd.conf >> >modcall: entering group authorize for request 2 >> > modcall[authorize]: module "preprocess" returns ok for request 2 >> > modcall[authorize]: module "chap" returns noop for request 2 >> > modcall[authorize]: module "mschap" returns noop for request 2 >> > rlm_realm: No '@' in User-Name = "test", looking up realm NULL >> > rlm_realm: No such realm "NULL" >> > modcall[authorize]: module "suffix" returns noop for request 2 >> > rlm_eap: EAP packet type response id 1 length 9 >> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >> > modcall[authorize]: module "eap" returns updated for request 2 >> > users: Matched entry test at line 79 >> > modcall[authorize]: module "files" returns ok for request 2 >> >rlm_pap: Found existing Auth-Type, not changing it. >> > modcall[authorize]: module "pap" returns noop for request 2 >> >modcall: leaving group authorize (returns updated) for request 2 >> > rad_check_password: Found Auth-Type EAP >> >auth: type "EAP" >> > Processing the authenticate section of radiusd.conf >> >modcall: entering group authenticate for request 2 >> > rlm_eap: EAP Identity >> > rlm_eap: processing type tls >> > rlm_eap_tls: Initiate >> > rlm_eap_tls: Start returned 1 >> > modcall[authenticate]: module "eap" returns handled for request 2 >> >modcall: leaving group authenticate (returns handled) for request 2 >> >Sending Access-Challenge of id 66 to 10.30.1.151 port 1036 >> > Reply-Message = "Hola test" >> > EAP-Message = 0x010200061920 >> > Message-Authenticator = 0x00000000000000000000000000000000 >> > State = 0x0554162407c62e4d26c570bf0dc3a4aa >> >Finished request 2 >> >Going to the next request >> >--- Walking the entire request list --- >> >Waking up in 6 seconds... >> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=67, >> >length=187 >> > User-Name = "test" >> > Calling-Station-Id = "00-0e-35-bf-51-18" >> > EAP-Message = >> >0x0202005019800000004616030100410100003d030147015317f20f33b39cf4163f4dc7389a82b29787664c80850600d8173d387a8c00001600040005000a000900640062000300060013001200630100 >> > Framed-MTU = 1287 >> > NAS-IP-Address = 192.168.1.1 >> > NAS-Port = 0 >> > NAS-Port-Type = Wireless-802.11 >> > State = 0x0554162407c62e4d26c570bf0dc3a4aa >> > Message-Authenticator = 0x772f0fcf0b9095b3987366da2b8b0eec >> > Processing the authorize section of radiusd.conf >> >modcall: entering group authorize for request 3 >> > modcall[authorize]: module "preprocess" returns ok for request 3 >> > modcall[authorize]: module "chap" returns noop for request 3 >> > modcall[authorize]: module "mschap" returns noop for request 3 >> > rlm_realm: No '@' in User-Name = "test", looking up realm NULL >> > rlm_realm: No such realm "NULL" >> > modcall[authorize]: module "suffix" returns noop for request 3 >> > rlm_eap: EAP packet type response id 2 length 80 >> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >> > modcall[authorize]: module "eap" returns updated for request 3 >> > users: Matched entry test at line 79 >> > modcall[authorize]: module "files" returns ok for request 3 >> >rlm_pap: Found existing Auth-Type, not changing it. >> > modcall[authorize]: module "pap" returns noop for request 3 >> >modcall: leaving group authorize (returns updated) for request 3 >> > rad_check_password: Found Auth-Type EAP >> >auth: type "EAP" >> > Processing the authenticate section of radiusd.conf >> >modcall: entering group authenticate for request 3 >> > rlm_eap: Request found, released from the list >> > rlm_eap: EAP/peap >> > rlm_eap: processing type peap >> > rlm_eap_peap: Authenticate >> > rlm_eap_tls: processing TLS >> >rlm_eap_tls: Length Included >> > eaptls_verify returned 11 >> > (other): before/accept initialization >> > TLS_accept: before/accept initialization >> > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello >> > TLS_accept: SSLv3 read client hello A >> > rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello >> > TLS_accept: SSLv3 write server hello A >> > rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate >> > TLS_accept: SSLv3 write certificate A >> > rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone >> > TLS_accept: SSLv3 write server done A >> > TLS_accept: SSLv3 flush data >> > TLS_accept: Need to read more data: SSLv3 read client certificate A >> >In SSL Handshake Phase >> >In SSL Accept mode >> > eaptls_process returned 13 >> > rlm_eap_peap: EAPTLS_HANDLED >> > modcall[authenticate]: module "eap" returns handled for request 3 >> >modcall: leaving group authenticate (returns handled) for request 3 >> >Sending Access-Challenge of id 67 to 10.30.1.151 port 1036 >> > Reply-Message = "Hola test" >> > EAP-Message = >> >0x010303861900160301004a020000460301470153c12f6418b0890a37d1b2a4cfaa6cf53f2f68558a1e44b1de861ade5d0120a9a82dee78a91db7e7cb55ae09dfce0e555f7c9c3fe0a52bb80632a2f6be001a00040016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f06 >> > EAP-Message = >> >0x0355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932363139333435395a170d3038303932353139333435395a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e6574311930170603550403 >> > EAP-Message = >> >0x13106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100eae88c4ee5755bcff546c3a68bab7b736e6f65d8606c1aadecf6992e59f340adddb323e7a3400a65e50cc80d7dd9ad58d86e50755c9e7e16640cd216ce68ce368aa37792817f1fc9aa30a016a3ee11ef5ab0b70d75543ec1aa8786d84caa7e6fe65bd4d9717cbf419d04f08181a24aa3591b1254bd78c4493f7424ccce2c1f150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104 >> > EAP-Message = >> >0x050003818100b0496218dcda605d85723a61b574fe1254e2d9a02fcc7c635099f663609b0e5c4507497ed3ee2b15082bdc3ad578060c015ed439a6072eb1e6f418a7a0394442afbf6465258a1afd677343c6a71f9a4cf79d34f28d1c074053e2f7a9de236dbe7d7ea9a2150b26643b95e33f83172a0e36805e9ee185e5d2f8a914843a8647f516030100040e000000 >> > Message-Authenticator = 0x00000000000000000000000000000000 >> > State = 0xa1e27c380c18bfa0a712fb53b701d612 >> >Finished request 3 >> >Going to the next request >> >Waking up in 6 seconds... >> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=68, >> >length=113 >> > User-Name = "test" >> > Calling-Station-Id = "00-0e-35-bf-51-18" >> > EAP-Message = 0x020300061900 >> > Framed-MTU = 1287 >> > NAS-IP-Address = 192.168.1.1 >> > NAS-Port = 0 >> > NAS-Port-Type = Wireless-802.11 >> > State = 0xa1e27c380c18bfa0a712fb53b701d612 >> > Message-Authenticator = 0xad3e26570e7fb8ad2e80b1107a777ee1 >> > Processing the authorize section of radiusd.conf >> >modcall: entering group authorize for request 4 >> > modcall[authorize]: module "preprocess" returns ok for request 4 >> > modcall[authorize]: module "chap" returns noop for request 4 >> > modcall[authorize]: module "mschap" returns noop for request 4 >> > rlm_realm: No '@' in User-Name = "test", looking up realm NULL >> > rlm_realm: No such realm "NULL" >> > modcall[authorize]: module "suffix" returns noop for request 4 >> > rlm_eap: EAP packet type response id 3 length 6 >> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >> > modcall[authorize]: module "eap" returns updated for request 4 >> > users: Matched entry test at line 79 >> > modcall[authorize]: module "files" returns ok for request 4 >> >rlm_pap: Found existing Auth-Type, not changing it. >> > modcall[authorize]: module "pap" returns noop for request 4 >> >modcall: leaving group authorize (returns updated) for request 4 >> > rad_check_password: Found Auth-Type EAP >> >auth: type "EAP" >> > Processing the authenticate section of radiusd.conf >> >modcall: entering group authenticate for request 4 >> > rlm_eap: Request found, released from the list >> > rlm_eap: EAP/peap >> > rlm_eap: processing type peap >> > rlm_eap_peap: Authenticate >> > rlm_eap_tls: processing TLS >> >rlm_eap_tls: Received EAP-TLS ACK message >> > rlm_eap_tls: ack handshake fragment handler >> > eaptls_verify returned 1 >> > eaptls_process returned 13 >> > rlm_eap_peap: EAPTLS_HANDLED >> > modcall[authenticate]: module "eap" returns handled for request 4 >> >modcall: leaving group authenticate (returns handled) for request 4 >> >Sending Access-Challenge of id 68 to 10.30.1.151 port 1036 >> > Reply-Message = "Hola test" >> > EAP-Message = 0x010400061900 >> > Message-Authenticator = 0x00000000000000000000000000000000 >> > State = 0xf791ee30348d584c274257c11d454e39 >> >Finished request 4 >> >Going to the next request >> >Waking up in 6 seconds... >> > >> > >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > >-- >-- >Sergio Belkin - > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html