back to the begining and using the most simple conf. to be sure that I have clear configuration #apt-get remove freeradius #dpkg -P freeradius #dpkg -i freeradius_2.1.6-0_i386.deb server is Debian etchnhalf, it is virtual server on VMware ESX Server 3i, 3.5.0
now I have clear configuration and make simply changes changes: radiusd.conf proxy_requests = no #was yes, set to no cause I dont need it #$INCLUDE proxy.conf #was uncommented, see above eap.conf no changes at all clients.conf add a client - 192.168.5.0/24.... (client Cisco 2950) next I made client certificate (using standard scripts) #cd /etc/freeradius/certs #make client and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer Travel Mate 380 certificates installed in Trusted Root CA and Personal storages (I deleted all previous certs on that system) I still have a problem - described in prvious post >exclamation mark on client certificate: >"windows does not have enough information to verify this certificate" >"you have private key that corresponds to this certificate" >http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu but I am frightened to make any changes without your permision in /etc/freeradius/certs/Makefile, and evethough I have your permission I still dont know what to change I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I did not find what to change in this file Ivan write: >Use your own domain. For EAP-TLS - no modification needed. I have seen you >going on about PEAP as well. If those users are also using format >u...@your_domain, then create local realm your_domain - it won't interfere >with EAP-TLS and will create Stripped-User-Name that can be used for >authentication. I dont want to have a domain yet, all I want to have at the beggining: server radius + server certificate (common name: server_cert - signed by my_radius_CA) clients radius (cisco 2950) user radius (winxp) + client certificate (common name: client_cert - signed by my_radius_CA) no usernames, no password for usernames, no proxies, no domains at all I used files - ca, server, client, da, random created by /etc/freeradius/certs/bootstrap script I know that I am at the start of the topic, I am listening, really. Bartosz. freeradius -X rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=226, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "u...@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x9bcadf204cf30292cfb7f1abed75501b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "u...@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 226 to 192.168.5.206 port 1812 EAP-Message = 0x0101001604108a193ba39f65974f35dc5b3140db877f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x495360bd49526405f11f72d516a953d3 Finished request 0. Going to the next request On Wed, May 20, 2009 at 11:38 AM, Ivan Kalik <t...@kalik.net> wrote: > > could you give me good freeradius guide for dummies - I think I need it > :) > > > > Guide: don't make any changes to the default configuration unless you know > what you are doing. That's it. > > Server is configured by default to handle EAP-TLS. There is nothing that > you need to do to make it happen. > > Now, about your problem: freeradius uses fake realm example.com - for > examples. Of proxying, fail-over home servers, use of vitual servers etc. > Why are *you* using it as well? These examples are not what you want to > do. > > Use your own domain. For EAP-TLS - no modification needed. I have seen you > going on about PEAP as well. If those users are also using format > u...@your_domain, then create local realm your_domain - it won't interfere > with EAP-TLS and will create Stripped-User-Name that can be used for > authentication. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html