I created once again certs by myself, giving common name for user cert the same like in example u...@example.com, I place them on xp client - both of them looks ok, now something is happening (anyway like Aragorn said: "still not king"):
Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "u...@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "u...@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323036 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x323036 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14, length=140 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633 Proxy-State = 0x323036 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 14 to 127.0.0.1 port 1814 Proxy-State = 0x323036 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14, length=25 Proxy-State = 0x323036 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> u...@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 206 to 192.168.5.206 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 14 with timestamp +43 Cleaning up request 0 ID 206 with timestamp +43 Ready to process requests. On Tue, May 19, 2009 at 2:23 PM, Bartosz Chodzinski <bartos...@gmail.com>wrote: > So in other words this script is for all clients exept microsofts-like ? > >You should try altering make client command in Makefile so that client > certificates are signed by ca and not server certificate. > do you have such altered makefile? > > > > > On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik <t...@kalik.net> wrote: > >> > # make client >> > >> > next I made a copy of ca.der and client.p12 to xp directory, >> > next I opened mmc and install both of them to Trusted Root Certificate >> > Authorities and to Personal >> > >> > exclamation mark on client certificate: >> > "windows does not have enough information to verify this certificate" >> > "you have private key that corresponds to this certificate" >> > >> >> This is explained in raddb/certs/README - Compatibility. You should try >> altering make client command in Makefile so that client certificates are >> signed by ca and not server certificate. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html