Hi Ivan, ok could you let me know what do i need to alter in the Make File.
Just wanted to make sure i dont do something wrong here What are the steps that i need to take to do this. I can see a Makefile in /etc/raddb/certs Thanks Devinder 2009/8/4 Ivan Kalik <t...@kalik.net>: > OK, I think this is the issue where Windows refuses to accept server > certificate as the intermediate CA. You should alter Makefile in certs to > sign client certificates with CA and not server certificate. > > Ivan Kalik > Kalik Informatika ISP > >> Hi Ivan >> >> >> I still get the same error now >> >> >> Found Auth-Type = EAP >> +- entering group authenticate {...} >> [eap] Request found, released from the list >> [eap] EAP/tls >> [eap] processing type tls >> [tls] Authenticate >> [tls] processing EAP-TLS >> [tls] eaptls_verify returned 7 >> [tls] Done initial handshake >> [tls] <<< TLS 1.0 Handshake [length 03b2], Certificate >> --> verify error:num=20:unable to get local issuer certificate >> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca >> TLS Alert write:fatal:unknown CA >> TLS_accept:error in SSLv3 read client certificate B >> rlm_eap: SSL error error:140890B2:SSL >> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >> SSL: SSL_read failed in a system call (-1), TLS session fails. >> TLS receive handshake failed during operation >> [tls] eaptls_process returned 4 >> [eap] Handler failed in EAP/tls >> [eap] Failed in EAP select >> ++[eap] returns invalid >> Failed to authenticate the user. >> Using Post-Auth-Type Reject >> +- entering group REJECT {...} >> [attr_filter.access_reject] expand: %{User-Name} -> >> devin...@palettemm.com >> attr_filter: Matched entry DEFAULT at line 11 >> ++[attr_filter.access_reject] returns updated >> Delaying reject of request 7 for 1 seconds >> Going to the next request >> Waking up in 0.9 seconds. >> Sending delayed reject for request 7 >> Sending Access-Reject of id 141 to 203.121.4.59 port 6001 >> EAP-Message = 0x04070004 >> Message-Authenticator = 0x00000000000000000000000000000000 >> Waking up in 3.8 seconds. >> Cleaning up request 1 ID 135 with timestamp +120 >> Cleaning up request 2 ID 136 with timestamp +120 >> Cleaning up request 3 ID 137 with timestamp +120 >> Cleaning up request 4 ID 138 with timestamp +120 >> Cleaning up request 5 ID 139 with timestamp +120 >> Cleaning up request 6 ID 140 with timestamp +120 >> Waking up in 1.0 seconds. >> Cleaning up request 7 ID 141 with timestamp +120 >> Ready to process requests. >> >> >> >> 2009/8/4 Devinder Singh <devinbhul...@gmail.com>: >>> Ok i took your advise and yes its a diffeenrent error now >>> >>> Listening on authentication address * port 1812 >>> Listening on accounting address * port 1813 >>> Listening on proxy address * port 1814 >>> Ready to process requests. >>> rad_recv: Access-Request packet from host 203.121.4.59 port 6001, >>> id=134, length=181 >>> User-Name = "devin...@palettemm.com" >>> NAS-IP-Address = 203.121.4.59 >>> Called-Station-Id = "00-20-a6-6c-49-9d:palstaff" >>> Calling-Station-Id = "00-04-23-7b-56-b9" >>> NAS-Identifier = "ORiNOCO-AP-700-6c-49-9d" >>> Framed-MTU = 1400 >>> NAS-Port-Type = Wireless-802.11 >>> EAP-Message = >>> 0x0203001b01646576696e6465724070616c657474656d6d2e636f6d >>> Message-Authenticator = 0xb7f29ed2232abda7b5b24bb131883617 >>> +- entering group authorize {...} >>> ++[preprocess] returns ok >>> ++[chap] returns noop >>> ++[mschap] returns noop >>> [suffix] Looking up realm "palettemm.com" for User-Name = >>> "devin...@palettemm.com" >>> [suffix] No such realm "palettemm.com" >>> ++[suffix] returns noop >>> [eap] EAP packet type response id 3 length 27 >>> [eap] No EAP Start, assuming it's an on-going EAP conversation >>> ++[eap] returns updated >>> ++[unix] returns notfound >>> [files] users: Matched entry devin...@palettemm.com at line 94 >>> ++[files] returns ok >>> ++[expiration] returns noop >>> ++[logintime] returns noop >>> [pap] WARNING! No "known good" password found for the user. >>> Authentication may fail because of this. >>> ++[pap] returns noop >>> Found Auth-Type = EAP >>> +- entering group authenticate {...} >>> [eap] EAP Identity >>> [eap] processing type md5 >>> rlm_eap_md5: Issuing Challenge >>> ++[eap] returns handled >>> Sending Access-Challenge of id 134 to 203.121.4.59 port 6001 >>> EAP-Message = 0x010400160410edd3007f1e599b71120693ed62eaee7c >>> Message-Authenticator = 0x00000000000000000000000000000000 >>> State = 0x17b5db9117b1dfd16583cca5ed9db022 >>> Finished request 0. >>> Going to the next request >>> Waking up in 4.9 seconds. >>> Cleaning up request 0 ID 134 with timestamp +1 >>> Ready to process requests. >>> >>> >>> >>> >>> >>> 2009/8/4 Devinder Singh <devinbhul...@gmail.com>: >>>> HI Ivan >>>> >>>> Thanks. Yes i have double click on the ca.der file and client.p12 both >>>> were installed successfuly. >>>> >>>> I also manaed to set up my SSID palstaff and when i click on the SSID >>>> i see a pop up windows on my wireles LAN asking for my username on >>>> certificate and i selected >>>> >>>> devin...@palettemm.com from the combo drop down list and click OK >>>> >>>> when i click OK radius reports the following error >>>> >>>> TLS Alert write:fatal:unknown CA >>>> TLS_accept:error in SSLv3 read client certificate B >>>> rlm_eap: SSL error error:140890B2:SSL >>>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >>>> SSL: SSL_read failed in a system call (-1), TLS session fails. >>>> TLS receive handshake failed during operation >>>> [tls] eaptls_process returned 4 >>>> [eap] Handler failed in EAP/tls >>>> [eap] Failed in EAP select >>>> ++[eap] returns invalid >>>> Failed to authenticate the user. >>>> Using Post-Auth-Type Reject >>>> +- entering group REJECT {...} >>>> [attr_filter.access_reject] expand: %{User-Name} -> >>>> devin...@palettemm.com >>>> attr_filter: Matched entry DEFAULT at line 11 >>>> ++[attr_filter.access_reject] returns updated >>>> Delaying reject of request 6 for 1 seconds >>>> Going to the next request >>>> Waking up in 0.9 seconds. >>>> Sending delayed reject for request 6 >>>> Sending Access-Reject of id 133 to 203.121.4.59 port 6001 >>>> EAP-Message = 0x040a0004 >>>> Message-Authenticator = 0x00000000000000000000000000000000 >>>> Waking up in 3.6 seconds. >>>> Cleaning up request 0 ID 127 with timestamp +18 >>>> Cleaning up request 1 ID 128 with timestamp +18 >>>> Cleaning up request 2 ID 129 with timestamp +18 >>>> Cleaning up request 3 ID 130 with timestamp +18 >>>> Cleaning up request 4 ID 131 with timestamp +18 >>>> Waking up in 0.2 seconds. >>>> Cleaning up request 5 ID 132 with timestamp +18 >>>> Waking up in 1.0 seconds. >>>> Cleaning up request 6 ID 133 with timestamp +19 >>>> Ready to process requests. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> 2009/8/4 Ivan Kalik <t...@kalik.net>: >>>>>> I mnaged to follow the steps in /etc/raddb/certs/README >>>>>> >>>>>> and copied ca.der and client.p12 to XP machine >>>>> >>>>> It looks like you have copied them but not installed them in the >>>>> certificate store. Double-click the certificates and install them >>>>> first. >>>>> >>>>> Ivan Kalik >>>>> Kalik Informatika ISP >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Devinder >>>> >>> >>> >>> >>> -- >>> Devinder >>> >> >> >> >> -- >> Devinder >> > > > -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html