Hi Fernando, It is highly recommended that you turn off HTML capability on your e-mail client to post comments to this list. Many people on the list have chosen to use mail programs that aren't HTML capable and they can barely read your message -- it shows up as HTML junk.
If you're using a mail program that is HTML capable such as Netscape or Outlook, please turn HTML posting off. Use plain text only. Regards, AG On 12/4/09 1:48 PM, "t...@kalik.net" <t...@kalik.net> wrote: >> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> >> <html> >> <head> >> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> >> </head> >> <body bgcolor="#ffffff" text="#000000"> >> Hi again:<br> >> <br> >> I have just tried with both CN that I could found at my 'client >> certificate'<br> >> <br> >> <big><tt><small><a class="moz-txt-link-abbreviated" >> >> href="mailto:subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailAddress=u >> s...@example.com">subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailAddre >> ss=u...@example.com</a><br> >> <a class="moz-txt-link-abbreviated" >> >> href="mailto:issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailaddress=ad...@examp >> le.com/CN=radiusserv.esrf.fr">issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailAd >> dress=ad...@example.com/CN=radiusserv.esrf.fr</a></small><br> >> </tt></big><br> >> So I have tested with:<br> >> - Server or Certificate Name == <big><tt><small>swatzy01.esrf.fr<br> >> </small></tt></big>- Server or Certificate Name == >> <big><tt><small>radiusserv.esrf.fr<br> >> </small></tt></big><br> >> But with the same result:<br> >> <br> >> <tt>Found Auth-Type = EAP<br> >> +- entering group authenticate {...}<br> >> [eap] Request found, released from the list<br> >> [eap] EAP/ttls<br> >> [eap] processing type ttls<br> >> [ttls] Authenticate<br> >> [ttls] processing EAP-TLS<br> >> [ttls] eaptls_verify returned 7<br> >> [ttls] Done initial handshake<br> >> [ttls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca<br> >> TLS Alert read:fatal:unknown CA<br> >> TLS_accept:failed in SSLv3 read client certificate >> A<br> >> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 >> alert unknown ca<br> >> SSL: SSL_read failed inside of TLS (-1), TLS session fails.<br> >> TLS receive handshake failed during operation<br> >> [ttls] eaptls_process returned 4<br> >> [eap] Handler failed in EAP/ttls<br> >> [eap] Failed in EAP select<br> >> ++[eap] returns invalid<br> >> Failed to authenticate the user.</tt><br> >> <br> >> I have already done also what "Ivan Kalik" said (altering >> certs/Makefile to sign client certificates with ca certificate instead >> of server certificate.)<br> >> Because of that, "Microsoft: Smart Card or other Certificate" works >> fine right now (not before)<br> >> But I'm still not able to perform "Intel: EAP-TTLS" with "PAP >> user/password", "Server Certificate Validation" + "Specify Server or >> Certificate Name" (if I remove last part... also works fine!!)<br> >> <br> >> thanks in advance for all your kindly help.<br> >> regards,<br> >> <br> >> Fernando.<br> >> <br> >> Alan Buxey wrote: >> <blockquote cite="mid:20091203135939.ga5...@lboro.ac.uk" type="cite"> >> <pre wrap="">Hi, >> >> </pre> >> <blockquote type="cite"> >> <pre wrap="">...and I guest it is not due to the "Client Certificate" >> because it was succeed authenticated in the previous tests >> Probably is due to I am not sure what I should write in the box reserved >> for "Server or Certificate Name" (on the "Step 2 of 2" at the supplicant >> windows software) >> Anyone knows what I should write at this box? I could not find a "server >> name" or "domain name" at the certificate (as it is explained on the >> "windows in-line help") >> </pre> >> </blockquote> >> <pre wrap=""><!----> >> >> this will be the CN of your server certificate. >> >> so, if , when your RADIUS server got signed by the CA it became known >> as eg radius.happyorg.org then the name you put into the client is >> radius.happyorg.org >> >> dotn forget, this is NOT a DNS name - it is purely a 'label' - just the CN >> of the server.... and you must have the CA present to check that server >> cert >> has been signed by your trusted CA (for otherwise anyone can make a >> server >> have a dumb cert with radius.happyorg.org as its CN >> >> alan >> </pre> >> </blockquote> >> <br> >> </body> >> </html> > > 1. Learn how to use e-mail. > > 2. That issuer looks like server certificate. You say you made client > certificates signed by ca certificate. This doesn't seem to be one of > them. If you can do EAP-TLS with the client certificate, you should be > able to do EAP-TTLS with them too. > > Ivan Kalik > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html