Hello! alan buxey <a.l.m.bu...@lboro.ac.uk> wrote:
> Hi, > > > I have no luck with this. I read in some articles to make an AP with > > Radius-Authentication, one should create cerificates with 'make all' > > in the certs-directory after editing the ca.cnf and server.cnf and > > copy the ca.pem to the client. > > ..that would be to ensure that you can configure the client to trust the > RADIUS server - as they are both signed by the same CA OK > > > Where can I read what other possibilites there are to authorize a client > > for an AP using a radiusserver as backend. > > it depends what you want to do. you were talking about authenticating > using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS) > which means the client uses a certificate OK I wonder what other possibilities than certificates there are to authorize a client to a network using WLAN. Like Hotspots, internet cafes and hotels for example. I mean, handing over a certifacte to a client on an USB-stick seems unpracticable to me. [ ... snipp ] > > But I do not get a lease from the AP. > > thats because, as you can read, you never got an Access-Accept. the flow above > shows that > your request arrived at the server....the server is configured to use MD5 by > default > in the inner-tunnel (so change that to the method you will use most eg TTLS) > and > so the server send a NAK. the client was then put through using TTLS but the > server > sent an Access-Challenge that never got answered....which is in the FAQ - the > client > doesnt trust the server. you need to ensure that you have added the CA in the > right > certificate store on the client..... as this is 802.1X a quick hint - do a > google > search for 'eduroam configuring client' you should find countless examples > from Universities > worldwide on how to configure a client for doing this sort of thing....some > sites will > have step by step instructions so you can see how to do it on windows > XP/Vista/7 OSX 10.6 etc > > ..and a favour in return..if you find any sites that DONT tell the users to > check the CA > and put the right name in the verification box, then please email me ;-) > > > Strange, where can I read about this? > > EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people > are > blocked from internet search engines > > > > 4) EAP-TLS is plain/simple method - thus checking against SQL for > > > passwords is wrong > > > > Ok, disabled SQL and made entries in the users file. > > ..but from what you said above (using TTLS) - there is nothing wrong with > using MySQL/postgreSQL > etc > > though we DO advise people to start simple. start with users file rather than > some fancy backend > storage. once you see things working and have things in a working state, THEN > bring in the good stuff(tm) > > > > 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and > > > security fixes. > > > > allright, will do that if I can see some land in this ocean > > I would start with the upgrade first - the cerfificate make files got some > fixes > and improvements too! ;-) So I followed your hint and compiled and installed freeradius-server-2.1.12. Created new certificates and changed md5 to ttls in eap.conf and the client.conf to accept my client. I configured the Linux-Client with Yast to connect to the AP using the ca.pem. The handshake works and I get a lease. Now this is great! The NetworkManager didn't do it. > > alan Thank you very much for your initial help! Now I can go on examinng the server. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html