Re: PEAP problems, never see an Access-Accept
Jorgen Rosink [EMAIL PROTECTED] wrote: Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. I'd suggest using 1.1.0, unless you're willing to work with an unstable vesion of FreeRADIUS. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... The symptom that Windows stops talking to the RADIUS server usually means that the server certificate doesn't contain the magic windows OID's. See the scripts/ directory for samples of how to create certs with the right stuff. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problems, never see an Access-Accept
On 2/3/06, Alan DeKok [EMAIL PROTECTED] wrote: Jorgen Rosink [EMAIL PROTECTED] wrote: Had a hard time to even start FreeRadius on my Debian Unstable system with a working PEAP module (yes, I'm aware of OpenSSL licences and eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm currently using the 20060202-snapshot. With this version (also tried 20060130, same behaviour) I'm able to create PEAP enabled Debian packages, after manually editing. the pcap section in the main Makefile. I'd suggest using 1.1.0, unless you're willing to work with an unstable vesion of FreeRADIUS. I'd like to, but I'm unable to build working Debian packages with both the official source 1.1.0 and the Debian upstream one (override libssl-dev build conflict). The symlinks in my Freeradius libdir for both eap_tls eap_peap are invalid with this version (1.0.5 also failed). From what I understand this should be fixed in 1.1.0, but as mentioned earlier, the latest snapshots are the only ones working here, with PEAP that is. The problem now is that I'm trying to authenticate a default WindowsXP SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve 520WL Access Point in 802.1x mode (latest firmware). Below my FreeRadius startup and a attempt to authenticate, could someone please point me in a direction what's going on, I've no clue what's wrong... The symptom that Windows stops talking to the RADIUS server usually means that the server certificate doesn't contain the magic windows OID's. See the scripts/ directory for samples of how to create certs with the right stuff. That did the trick, thank you very much!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
Quoting Michael Griego [EMAIL PROTECTED]: I'm guessing you're using the Windows XP supplicant? This looks like a classic case of your CA certificate not being present on the client machine. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Hi. Yes, I uses WinXP(sp2) supplicant and access point is Intel 2011B. I create new certicates. Then I copy root.der and client-crt.p12 files to supplicant. Windows shows that certificates are ok and using to remote client identity. (I trying tls method too). Now, in authentication process, I found following error line. rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 03a8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0044], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 Next lines tells how I create certificates. Server certificate*** openssl genrsa -des3 -out server-key.pem 2048 openssl req -new -key server-key.pem -out server-csr.pem openssl req -in server-csr.pem -out server-crt.pem -key server-key.pem -x509 -days 3652 openssl ca -in server-csr.pem -out server-crt.pem -days 3652 -policy policy_anything root certificate** cp server-crt.pem root.pem openssl x509 -in root -inform PEM -out root.der -outform DER client certificate** openssl genrsa -des3 -out client-key.pem 2048 openssl req -new -key client-key.pem -out client-csr.pem openssl ca -in client-csr.pem -out client-crt.pem -days 125 -extensions xpclient_ext -extfile xpextensions -policy policy_anything openssl pkcs12 -export -in client-crt.pem -inkey client-key.pem -name Radius Suse -certfile client-crt.pem -out client.p12 openssl x509 -inform PEM -outform DER -in client-clt.pem -out client-clt.der - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
I'm guessing you're using the Windows XP supplicant? This looks like a classic case of your CA certificate not being present on the client machine. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas ealatalo wrote: Quoting Jacques VUVANT [EMAIL PROTECTED]: Hello T It seems that the user doens't exist on users.conf Jacques Problem was that I was changed detail NT_Domain_hack = yes. Now I change it back to no and that problem solved. But now I get new following problem. :( Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1117, id=92, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x08a61ed2a9cfdf1b75fddc6da963f23a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = TWIRE12\jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 156 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 92 to 10.50.50.13:1117 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe6b4b0ad3e594db130de344878b1cd7c Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 92 with timestamp 41f6af2e Nothing to do. Sleeping until we see a request. part of eap.conf default_eap_type = peap ... tls { private_key_password = arvaatko private_key_file = ${raddbdir}/varmenteet/palvelin-key.pem # If Private key Certificate are located in # the same file, then private_key_file # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/varmenteet/palvelin-crt.pem # Trusted Root CA list CA_file = ${raddbdir}/varmenteet/CA-crt.pem dh_file = ${raddbdir}/varmenteet/certs/dh random_file = ${raddbdir}/varmenteet/certs/random ... peap { default_eap_type = mschapv2 } ** part of users jaskajokUser-Password == Reititys2 Framed-IP-Address = 10.50.50.12, Framed-IP-Netmask = 255.255.255.0 *** radiusd.conf -no changes made *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? (freeradius 1.0.0 Suse 9.2) T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = TWIRE12\\jaskajok NAS-IP-Address = 10.50.50.13 Called-Station-Id = 00034715cbc3 Calling-Station-Id = 00022d1d5cb1 NAS-Identifier = WARLORD1 NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- (freeradius 1.0.0 Suse 9.2) I have a following line in users file. (I don't have users.conf file..?) #John Doe Auth-Type := Local, User-Password == hello # Reply-Message = Hello, %u jaskajokUser-Password == Reititys3 # # Dial user back and telnet to the default host for that port - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html