Re: question about windows users
On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik wrote: > > Problem was solved thanks to Ivan assistance, > > Main problem was on switch side and its configuration, > > Second problem was - proper certificate to proper certificate store > > And third - in my head :). > > OK. Now that you have established that client certificates signed by CA > work with XP SP3, can you check if server signed certificates (made by > original Makefile) also work, or is XP SP3 rejecting them. Could you > report to the list with the result. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > No, standard Makefile is no working freeradius -X output: Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=160, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "u...@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x3fa86bcca888e9174c33ff2206178e97 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "u...@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 160 to 192.168.5.206 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=161, length=150 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "u...@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf EAP-Message = 0x02010006030d Message-Authenticator = 0xe1ef7b423be0a169598a253da36247c0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "u...@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 161 to 192.168.5.206 port 1812 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x0a8a026e0b880fea4f51a121d61eb2bf Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=162, length=224 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "u...@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e0b880fea4f51a121d61eb2bf EAP-Message = 0x020200500d8000461603010041013d03014a1fb693a40277392668182f296a92feb2a08a3e25a3c170dfa77f83d18f56941600040005000a0009006400 62000300060013001200630100 Message-Authenticator = 0xca0d351030f630125dd9b87f5d39e7e9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "u...@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 2 length 80 [eap] No EAP
Re: question about windows users
> Problem was solved thanks to Ivan assistance, > Main problem was on switch side and its configuration, > Second problem was - proper certificate to proper certificate store > And third - in my head :). OK. Now that you have established that client certificates signed by CA work with XP SP3, can you check if server signed certificates (made by original Makefile) also work, or is XP SP3 rejecting them. Could you report to the list with the result. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Problem was solved thanks to Ivan assistance, Main problem was on switch side and its configuration, Second problem was - proper certificate to proper certificate store And third - in my head :). Thank you again Bartosz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>So, check EAP settings on your windows machine - have you cleared server certificate validation box? yes I tried with such settings, after that my freeradius -X logs: rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=245, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user_certificate" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0201001501757365725f6365727469666963617465 Message-Authenticator = 0x2329ec2c85dc1d283a985e213260a2c4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user_certificate", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 245 to 192.168.5.206 port 1812 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x7895d3087897cab912734ed23163fd96 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 245 with timestamp +137 Ready to process requests. On Wed, May 20, 2009 at 10:24 PM, Ivan Kalik wrote: > >> Check connection settings on Windows machine. > >> > >> Ivan Kalik > >> Kalik Informatika ISP > > I am using a standard settings of eap.conf > > when I change eap.conf to: > > # default_eap_type = md5 > > default_eap_type = peap > > > > That's not Windows machine - that's on your radius server. Changing that > is cosmetic - it won't do anything substantial. > > http://deployingradius.com/ > > Have you read this? You are trying to do step 4 without sorting out step > 2. So, check EAP settings on your windows machine - have you cleared > server certificate validation box? > > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>> Check connection settings on Windows machine. >> >> Ivan Kalik >> Kalik Informatika ISP > I am using a standard settings of eap.conf > when I change eap.conf to: > # default_eap_type = md5 > default_eap_type = peap > That's not Windows machine - that's on your radius server. Changing that is cosmetic - it won't do anything substantial. http://deployingradius.com/ Have you read this? You are trying to do step 4 without sorting out step 2. So, check EAP settings on your windows machine - have you cleared server certificate validation box? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I am using a standard settings of eap.conf when I change eap.conf to: # default_eap_type = md5 default_eap_type = peap I have similar communicate Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=242, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user_certificate" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x021501757365725f6365727469666963617465 Message-Authenticator = 0x4fea88a60594825de9229268206fb02d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user_certificate", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 242 to 192.168.5.206 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x54cef72d54cfee66f11829ca8f9f95d7 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 242 with timestamp +37 Ready to process requests. On Wed, May 20, 2009 at 3:51 PM, Ivan Kalik wrote: > > [eap] processing type md5 > > rlm_eap_md5: Issuing Challenge > > Hm, you are saying you want to do EAP-TLS but your server reports that it > has got EAP-MD5 request. Check connection settings on Windows machine. > > Ivan Kalik > Kalik Informatika ISP > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
ok I changed it to default proxy_requests = yes $INCLUDE proxy.conf /etc/freeradius/certs/Makefile was #client.crt: client.csr server.crt server.key index.txt serial # openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf is now: client.crt: client.csr ca.pem ca.key index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf changes in client.cnf was: certificate = $dir/server.pem serial = $dir/serial private_key = $dir/server.key commonName = u...@example.com is now: certificate = $dir/ca.pem serial = $dir/serial private_key = $dir/ca.key commonName = user_certificate now after instalation ca.der and client.p12 in windows everything in certificate stores seams to be ok. there is no exclamation mark on user_certificate, and certification path is ok back to the server: Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=240, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user_certificate" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x021501757365725f6365727469666963617465 Message-Authenticator = 0x0d65a52fd78035c3c828c30d2a2442d9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user_certificate", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 240 to 192.168.5.206 port 1812 EAP-Message = 0x0101001604100c91af03e9cd5c25126407d36f22684a Message-Authenticator = 0x State = 0xb5a5cfd0b5a4cb20491e5ee122e4a622 Finished request 0. Going to the next request On Wed, May 20, 2009 at 2:39 PM, Ivan Kalik wrote: > >>> The steps you took show that you are NOT following the guide. > >>> Good luck. You clearly are *not* interested in solving the problem. > > > > the guide in radiusd.conf says: > > #The server has proxying turned on by default. If your system is NOT > > # set up to proxy requests to another server, then you can turn proxying > > # off here. This will save a small amount of resources on the server. > > I tried to read carefully with undrestanding, I dont use proxy, my system > > not sending request to another server, so I turned it off. > > You might not want to, but you *are* proxying your requests. You have > created client certificate with predefined data in client.cnf - which is > part of the proxy demonstration setup. So, leave proxy settings alone and > concentrate on doing what you have been advised - changing data in > client.cnf so created client certificate won't have @example.com as part > of the username. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>> The steps you took show that you are NOT following the guide. >>> Good luck. You clearly are *not* interested in solving the problem. > > the guide in radiusd.conf says: > #The server has proxying turned on by default. If your system is NOT > # set up to proxy requests to another server, then you can turn proxying > # off here. This will save a small amount of resources on the server. > I tried to read carefully with undrestanding, I dont use proxy, my system > not sending request to another server, so I turned it off. You might not want to, but you *are* proxying your requests. You have created client certificate with predefined data in client.cnf - which is part of the proxy demonstration setup. So, leave proxy settings alone and concentrate on doing what you have been advised - changing data in client.cnf so created client certificate won't have @example.com as part of the username. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>> The steps you took show that you are NOT following the guide. >> Good luck. You clearly are *not* interested in solving the problem. the guide in radiusd.conf says: #The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. I tried to read carefully with undrestanding, I dont use proxy, my system not sending request to another server, so I turned it off. On Wed, May 20, 2009 at 1:35 PM, Alan DeKok wrote: > Bartosz Chodzinski wrote: > > back to the begining > > and using the most simple conf. > ... > > now I have clear configuration and make simply changes > > > > changes: > > radiusd.conf > > proxy_requests = no #was yes, set to no cause I dont need it > > The guide didn't say to do that. > > ... > > I still have a problem - described in prvious post > > The steps you took show that you are NOT following the guide. > > Good luck. You clearly are *not* interested in solving the problem. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> next I made client certificate (using standard scripts) > #cd /etc/freeradius/certs > #make client > and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer > Travel Mate 380 > certificates installed in Trusted Root CA and Personal storages (I deleted > all previous certs on that system) > > I still have a problem - described in prvious post >>exclamation mark on client certificate: >>"windows does not have enough information to verify this certificate" >>"you have private key that corresponds to this certificate" >>http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu > but I am frightened to make any changes without your permision in > /etc/freeradius/certs/Makefile, and evethough I have your permission I > still > dont know what to change Yes, we have been through this before. Change mak clients in Makefile, so that it uses ca and not server certificate to sign client certificates. I would create changes and save them as Makefile.CA. Perhaps that can be added into the distribution, so you would just rename Makefile to Makefile.old and Makefile.CA to Makefile in order to make this switch (and add comments about that in README file). > I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I > did > not find what to change in this file Because that's openSSL stuff, not Freeradius. If you don't know what to change, I will post this file overnight, when I have a bit more time. > Ivan write: >>Use your own domain. For EAP-TLS - no modification needed. I have seen >> you >>going on about PEAP as well. If those users are also using format >>u...@your_domain, then create local realm your_domain - it won't >> interfere >>with EAP-TLS and will create Stripped-User-Name that can be used for >>authentication. > I dont want to have a domain yet, > no usernames, no password for usernames, no proxies, no domains at all Yet: > User-Name = "u...@example.com" you created the user with the domain. As I said previously, there are preset example files in the default configuration. You need to alter clent.cnf and enter details for your test user without the domain in the name. If you need guidance about altering those files you should look it up on openSSL site. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote: > back to the begining > and using the most simple conf. ... > now I have clear configuration and make simply changes > > changes: > radiusd.conf > proxy_requests = no #was yes, set to no cause I dont need it The guide didn't say to do that. ... > I still have a problem - described in prvious post The steps you took show that you are NOT following the guide. Good luck. You clearly are *not* interested in solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
back to the begining and using the most simple conf. to be sure that I have clear configuration #apt-get remove freeradius #dpkg -P freeradius #dpkg -i freeradius_2.1.6-0_i386.deb server is Debian etchnhalf, it is virtual server on VMware ESX Server 3i, 3.5.0 now I have clear configuration and make simply changes changes: radiusd.conf proxy_requests = no #was yes, set to no cause I dont need it #$INCLUDE proxy.conf #was uncommented, see above eap.conf no changes at all clients.conf add a client - 192.168.5.0/24 (client Cisco 2950) next I made client certificate (using standard scripts) #cd /etc/freeradius/certs #make client and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer Travel Mate 380 certificates installed in Trusted Root CA and Personal storages (I deleted all previous certs on that system) I still have a problem - described in prvious post >exclamation mark on client certificate: >"windows does not have enough information to verify this certificate" >"you have private key that corresponds to this certificate" >http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu but I am frightened to make any changes without your permision in /etc/freeradius/certs/Makefile, and evethough I have your permission I still dont know what to change I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I did not find what to change in this file Ivan write: >Use your own domain. For EAP-TLS - no modification needed. I have seen you >going on about PEAP as well. If those users are also using format >u...@your_domain, then create local realm your_domain - it won't interfere >with EAP-TLS and will create Stripped-User-Name that can be used for >authentication. I dont want to have a domain yet, all I want to have at the beggining: server radius + server certificate (common name: server_cert - signed by my_radius_CA) clients radius (cisco 2950) user radius (winxp) + client certificate (common name: client_cert - signed by my_radius_CA) no usernames, no password for usernames, no proxies, no domains at all I used files - ca, server, client, da, random created by /etc/freeradius/certs/bootstrap script I know that I am at the start of the topic, I am listening, really. Bartosz. freeradius -X rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=226, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "u...@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x9bcadf204cf30292cfb7f1abed75501b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "u...@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 226 to 192.168.5.206 port 1812 EAP-Message = 0x0101001604108a193ba39f65974f35dc5b3140db877f Message-Authenticator = 0x State = 0x495360bd49526405f11f72d516a953d3 Finished request 0. Going to the next request On Wed, May 20, 2009 at 11:38 AM, Ivan Kalik wrote: > > could you give me good freeradius guide for dummies - I think I need it > :) > > > > Guide: don't make any changes to the default configuration unless you know > what you are doing. That's it. > > Server is configured by default to handle EAP-TLS. There is nothing that > you need to do to make it happen. > > Now, about your problem: freeradius uses fake realm example.com - for > examples. Of proxying, fail-over home servers, use of vitual servers etc. > Why are *you* using it as well? These examples are not what you want to > do. > > Use your own domain. For EAP-TLS - no modification needed. I have seen you > going on about PEAP as well. If those users are also using format > u...@your_domain, then create local realm your_domain - it won't interfere > with EAP-TLS and will create Stripped-User-Name that can be used for > authentication. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> could you give me good freeradius guide for dummies - I think I need it :) > Guide: don't make any changes to the default configuration unless you know what you are doing. That's it. Server is configured by default to handle EAP-TLS. There is nothing that you need to do to make it happen. Now, about your problem: freeradius uses fake realm example.com - for examples. Of proxying, fail-over home servers, use of vitual servers etc. Why are *you* using it as well? These examples are not what you want to do. Use your own domain. For EAP-TLS - no modification needed. I have seen you going on about PEAP as well. If those users are also using format u...@your_domain, then create local realm your_domain - it won't interfere with EAP-TLS and will create Stripped-User-Name that can be used for authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote: > I am not saying that you are lying, I even didnt think like that, I > never intend to insult you, You're not insulting us. I am asking you to *think* about what you are saying. > yes, it annyoing me - I start to do something with radius cause I felt > that is good idea to know how to do it, and how it works but I meet the > wall I can't crush so I am often have to countig to 10 to stay on ground. > back to the subject: No. You are NOT listening. You are NOT following instructions. We do NOT want to see copies of your configuration. If your configuration is the SAME as the default, then we've already seen it many times. If your configuration is NOT the same as the default, then you are changing it after being told to NOT change it. Follow instructions and it will work. This is the LAST time I will say this. If you keep sending email that shows you are NOT following instructions, I will NOT respond to it. I cannot help you if you refuse to follow my instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hey People!, I am not saying that you are lying, I even didnt think like that, I never intend to insult you, for god sake, I am asking for help - that mean that you are the masters and I am the student yes, it annyoing me - I start to do something with radius cause I felt that is good idea to know how to do it, and how it works but I meet the wall I can't crush so I am often have to countig to 10 to stay on ground. back to the subject: proxy.conf proxy server { default_fallback = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = testing123 require_message_authenticator = no response_window = 20 zombie_period = 40 revive_interval = 120 status_check = status-server check_interval = 30 num_answers_to_alive = 3 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server virtual.example.com { virtual_server = virtual.example.com } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { #auth_pool = my_auth_failover #commented by me /by Ivan suggestion/ } realm LOCAL { } realm NULL { secret = password } On Wed, May 20, 2009 at 10:21 AM, Alan DeKok wrote: > Bartosz Chodzinski wrote: > > could you give me good freeradius guide for dummies - I think I need it > :) > > $ man radiusd > > It contains a section describing how to make changes to the > configuration files. > > For EAP, see http://deployingradius.com > > The front page contains 4 steps to get EAP working. Follow the steps. > Start with the DEFAULT configuration. Do NOT make changes unless the > guide says to. EAP *will* work. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote: > could you give me good freeradius guide for dummies - I think I need it :) $ man radiusd It contains a section describing how to make changes to the configuration files. For EAP, see http://deployingradius.com The front page contains 4 steps to get EAP working. Follow the steps. Start with the DEFAULT configuration. Do NOT make changes unless the guide says to. EAP *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hi, > realm example.com { > } > realm LOCAL { > } > realm NULL { > } > /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist thats very interesting - because in the default proxy.conf there IS an entry for home_server localhost. so, I'll repeat once again, do not just randomly edit and remove config entries. just change or add the few lines that you need and 'it will work' I'm not lying - i've been using this software since the very early days when it didnt 'just work' - going through the 1.0.x and 1.1.x where it started to work and now with the joys of 2.1.x where its pretty amazingly almost ready for production use with little or no changes! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
could you give me good freeradius guide for dummies - I think I need it :) On Wed, May 20, 2009 at 9:30 AM, Alan DeKok wrote: > Bartosz Chodzinski wrote: > > "make the basic changes to your eap.conf and client.conf it will work" > > it wont. > > You can believe that, which means that everyone else is lying. They > just download the software, follow the guides, and it "just works". > But... because it doesn't work for you, they must be lying. > > Or, maybe you didn't follow the guides. > > > are all of you had so many troubles with radius or only me has so bad > luck > > Many people have problems. Those problems are almost always caused by > doing *too much*, without understanding what they're doing. > > > my realm example.com was: > > And here we have a problem. The EAP guides do NOT say to add realms. > Why are you doing this? > > Follow the guides. Do nothing MORE than what the guides say. > > If you do NOT follow the guides, then do NOT complain that they don't > work. > > > when I changed in proxy.conf it to > > > > realm example.com { > > } > > > > radius wont start > ... > > realm example.com { > > } > > So it IS loading the "example.com" realm. > > > realm LOCAL { > > } > > realm NULL { > > } > > /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist > > Is it really that difficult to read the debugging output? > > 1) It loads the realm "example.com" just fine. No problems. > > 2) Line 498 of /etc/freeradius/proxy.conf refers to a home server > that doesn't exist. This error has *NOTHING* to do with the > realm example.com > > The issue here is that you are NOT following the guides, and you are > NOT reading the debugging output. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote: > "make the basic changes to your eap.conf and client.conf it will work" > it wont. You can believe that, which means that everyone else is lying. They just download the software, follow the guides, and it "just works". But... because it doesn't work for you, they must be lying. Or, maybe you didn't follow the guides. > are all of you had so many troubles with radius or only me has so bad luck Many people have problems. Those problems are almost always caused by doing *too much*, without understanding what they're doing. > my realm example.com was: And here we have a problem. The EAP guides do NOT say to add realms. Why are you doing this? Follow the guides. Do nothing MORE than what the guides say. If you do NOT follow the guides, then do NOT complain that they don't work. > when I changed in proxy.conf it to > > realm example.com { > } > > radius wont start ... > realm example.com { > } So it IS loading the "example.com" realm. > realm LOCAL { > } > realm NULL { > } > /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist Is it really that difficult to read the debugging output? 1) It loads the realm "example.com" just fine. No problems. 2) Line 498 of /etc/freeradius/proxy.conf refers to a home server that doesn't exist. This error has *NOTHING* to do with the realm example.com The issue here is that you are NOT following the guides, and you are NOT reading the debugging output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>Don't strip the username. Why do you proxy this anyway? Create it as a local realm: I am using basic configuration without changes in config cause: >so..somewhere along the line you are playing with the User-Name attribute...something >which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes >to your eap.conf and clients.conf it will work. "make the basic changes to your eap.conf and client.conf it will work" it wont. are all of you had so many troubles with radius or only me has so bad luck I tried to make my first config a year ago, only have succes with eap=md5, after month figting with peap I gave up, now I have some communicates on screen, but answers "basic changes" are really not helpful. my realm example.com was: realm example.com { auth_pool = my_auth_failover } when I changed in proxy.conf it to realm example.com { } radius wont start #freeradius -X ... radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm example.com { } realm LOCAL { } realm NULL { } /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I created once again certs by myself, giving common name for user cert the > same like in example > u...@example.com, I place them on xp client - both of them looks ok, > now something is happening (anyway like Aragorn said: "still not king"): > > > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, > length=147 ... > User-Name = "u...@example.com" ... > [suffix] Found realm "example.com" > [suffix] Adding Stripped-User-Name = "user" > [suffix] Adding Realm = "example.com" > [suffix] Proxying request from user user to realm example.com > [suffix] Preparing to proxy authentication request to realm "example.com" > ++[suffix] returns updated ... > Sending Access-Request of id 14 to 127.0.0.1 port 1812 ... > User-Name = "user" ... > Found Auth-Type = EAP > +- entering group authenticate {...} > [eap] Identity does not match User-Name, setting from EAP Identity. ... Don't strip the username. Why do you proxy this anyway? Create it as a local realm: realm example.com { } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I created once again certs by myself, giving common name for user cert the same like in example u...@example.com, I place them on xp client - both of them looks ok, now something is happening (anyway like Aragorn said: "still not king"): Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "u...@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "u...@example.com" [suffix] Found realm "example.com" [suffix] Adding Stripped-User-Name = "user" [suffix] Adding Realm = "example.com" [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm "example.com" ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x Proxy-State = 0x323036 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x Proxy-State = 0x323036 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14, length=140 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633 Proxy-State = 0x323036 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 14 to 127.0.0.1 port 1814 Proxy-State = 0x323036 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14, length=25 Proxy-State = 0x323036 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> u...@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 206 to 192.168.5.206 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 14 with timestamp +43 Cleaning up request 0 ID 206 with timestamp +43 Ready to process requests. On Tue, May 19, 2009
Re: question about windows users
So in other words this script is for all clients exept microsofts-like ? >You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. do you have such altered makefile? On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik wrote: > > # make client > > > > next I made a copy of ca.der and client.p12 to xp directory, > > next I opened mmc and install both of them to Trusted Root Certificate > > Authorities and to Personal > > > > exclamation mark on client certificate: > > "windows does not have enough information to verify this certificate" > > "you have private key that corresponds to this certificate" > > > > This is explained in raddb/certs/README - Compatibility. You should try > altering make client command in Makefile so that client certificates are > signed by ca and not server certificate. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> # make client > > next I made a copy of ca.der and client.p12 to xp directory, > next I opened mmc and install both of them to Trusted Root Certificate > Authorities and to Personal > > exclamation mark on client certificate: > "windows does not have enough information to verify this certificate" > "you have private key that corresponds to this certificate" > This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Ok, I downloaded 2.1.6 # unp freeradius-server-2.1.6.tar.gz # cd /usr/src/freeradius-server-2.1.6 # dpkg-buildpackage -rfakeroot -uc -us # dpkg -i freeradius_2.1.6-0_i386.deb - instalator create ca and server certs in /etc/freeradius/certs directory # cd /etc/freeradius/certs # make client next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal exclamation mark on client certificate: "windows does not have enough information to verify this certificate" "you have private key that corresponds to this certificate" http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu changes in /etc/freeradius/eap.conf only one line has been changed: default_eap_type = peap changes in /etc/freeradius/clients.conf client 192.168.5.0/24 { secret = password shortname = private-network-2 } log: #/etc/init.d/freeradius stop #freeradius -X FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on May 19 2009 at 09:45:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/control-socket group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freera
Re: question about windows users
Hi, > which Linux distribution should I use? So far I tryied debian-etchnhalf, or > CentOS, and in every How to its written that I have to compile it by mysefl. > This how to didnt work anyway... so I will try what you will suggest. > Bartosz. theres nothing wrong with compiling it yourself - so long as you have the right dev libraries installed so all the bits you want get compiled.. you can check whats not going to be built be parsing the configure output eg ./configure --with-options-you-want | grep WARNING ignore the WARNING entries for things you care not about and fix the WARNING that you need (eap PEAP) by installing the needed librarieseg openssl-devel some distros come with a more recent FreeRADIUS (or have RPM / PKG available for them - eg Fedora Core 11) the default config from the source build is pretty much ready for anything you want after just editing a few lines in the config (so long as the supporting code - eg EAP ) has been compiled alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>so..somewhere along the line you are playing with the User-Name attribute...something >which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes >to your eap.conf and clients.conf it will work. which Linux distribution should I use? So far I tryied debian-etchnhalf, or CentOS, and in every How to its written that I have to compile it by mysefl. This how to didnt work anyway... so I will try what you will suggest. Bartosz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hi, > ok (you guys propably hate me :) but please could you still give me the > answers as you did before) > but back to the subject: > I did like you said, > I installed 2.0.4 version (compiled using suggestions from: > http://www.fatofthelan.com/articles/articles.php?pid=27 > http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html) you are using an old version, you are using random 3rd party instructions of dubious dates and knowledge. > first one: > when I open properites of client certificate on XP using mmc-certificates > console I have the information that "Windows doesnt have enough information > to verify this certificate" "You have proper private key to this > certificate" (it is non-english system so its translation but I think > translation is ok) this means you didnt install the CA - ensure you've added it to the trusted CA list in the system - use the certificate MMC Snapin. > second one: original packet has this: > User-Name = "u...@example.com" this is then proxied to the system handling example.com: > rlm_realm: Looking up realm "example.com" for User-Name = " > u...@example.com" > rlm_realm: Found realm "example.com" > rlm_realm: Adding Stripped-User-Name = "user" > rlm_realm: Adding Realm = "example.com" > rlm_realm: Proxying request from user user to realm example.com > rlm_realm: Preparing to proxy authentication request to realm " > example.com" > ++[suffix] returns updated ..which then says this: > rlm_eap: Identity does not match User-Name, setting from EAP Identity. > rlm_eap: Failed in handler so..somewhere along the line you are playing with the User-Name attribute...something which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes to your eap.conf and clients.conf it will work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I installed 2.0.4 version (compiled using suggestions from: > http://www.fatofthelan.com/articles/articles.php?pid=27 > http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html) > If you downloaded current version, you wouldn't need to ask. You have to change makefile, so client certificates are signed by the ca and not server certificate. MS introduced that glitch post XP SP2. > > second one: > rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=138, > length=147 ... > User-Name = "u...@example.com" ... > rlm_realm: Found realm "example.com" > rlm_realm: Adding Stripped-User-Name = "user" > rlm_realm: Adding Realm = "example.com" > rlm_realm: Proxying request from user user to realm example.com ... > Sending Access-Request of id 188 to 127.0.0.1 port 1812 ... > User-Name = "user" ... > rlm_eap: Identity does not match User-Name, setting from EAP Identity. > rlm_eap: Failed in handler > ++[eap] returns invalid > auth: Failed to validate the user. You can't strip the username in EAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
ok (you guys propably hate me :) but please could you still give me the answers as you did before) but back to the subject: I did like you said, I installed 2.0.4 version (compiled using suggestions from: http://www.fatofthelan.com/articles/articles.php?pid=27 http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html) Next, I make a one change in eap.conf default_eap_type = peap #was md5 and I add my switch-client to clients.conf #cd /etc/freeradius/certs #rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* I edited: ca.cnf, client.cnf, server.cnf and I change line in everyone default_bits= 1024 #was 2048 next: #make ca ca.der dh random server client Then I make the copy of ca.der and client.p12 to Windows, both of them are installed in CA and Personal directory And two things: first one: when I open properites of client certificate on XP using mmc-certificates console I have the information that "Windows doesnt have enough information to verify this certificate" "You have proper private key to this certificate" (it is non-english system so its translation but I think translation is ok) second one: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 18 2009 at 12:50:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.5.0/24 { require_message_authenticator = no secret = "windows" shortname = "private-network-2" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryptio
Re: question about windows users
Bartosz Chodzinski wrote: > /etc/freeradius/certs/README I've never understood why people think it's useful to post documentation from the server on this list. Do you think we haven't seen it? > and something happend: > ( I think key information is > TLS_accept:error in SSLv3 read client certificate A > rlm_eap: SSL error error::lib(0):func(0):reason(0) > but uncle google find as many diferent answers as peple having this problem) It means that you're running a server that is YEARS out of date. Why not use a more recent version? > log freeradius -X: > Sending Access-Challenge of id 115 to 192.168.5.206 port 1812 > EAP-Message = > 0x010b00350d80002b1403010001011603010020735b6dedb59fdb27811198c86a86bb2fdf2e96ce8f59031cc76f36b80bf1d04c > Message-Authenticator = 0x > State = 0x9f4e794b784914b1f67ff19696408712 > Finished request 9 > Going to the next request > Waking up in 5 seconds... > --- Walking the entire request list --- > Cleaning up request 5 ID 111 with timestamp 416c8b35 This is in the FAQ. Go read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> And I put cliet_cert.pem to both certificate stores Trusted CA and > Personal > You should import .p12 version onto the client. > Are you sure that I should not change anything in my server config files > Any particular reason you are creating certificates yourself? Why aren't you using scripts from raddb/certs directiory? Follow instructions in raddb/certs/ README. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Thanks, I created certificate openssl req -new -keyout /etc/freeradius/eap/client_key.pem -out /etc/freeradius/eap/client_req.pem -days 730 -passin pass:password -passout pass:password openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out /etc/freeradius/eap/client_cert.pem -passin pass:password -key password -extensions xpclient_ext -extfile /etc/freeradius/eap/xpextensions -infiles /etc/freeradius/eap/client_req.pem And I put cliet_cert.pem to both certificate stores Trusted CA and Personal Are you sure that I should not change anything in my server config files Anyway it is still not working :(. Bartosz On Fri, May 15, 2009 at 2:38 PM, Ivan Kalik wrote: > > tls { > > private_key_file = /etc/freeradius/eap/newkey.pem > > certificate_file = /etc/freeradius/eap/newcert.pem > > CA_file = /etc/freeradius/eap/eapCA/cacert.pem > > dh_file = /etc/freeradius/eap/dh > > random_file = /etc/freeradius/eap/random > > fragment_size = 1024 > > include_length = yes > > check_crl = no > >} > > > > I tryied both: > > newcert.pem and/or cacert.pem > > but still no communicate on debug screen: > > Neither of them are client certificates. > > newcert - server certificate > cacert - ca certificate > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> tls { > private_key_file = /etc/freeradius/eap/newkey.pem > certificate_file = /etc/freeradius/eap/newcert.pem > CA_file = /etc/freeradius/eap/eapCA/cacert.pem > dh_file = /etc/freeradius/eap/dh > random_file = /etc/freeradius/eap/random > fragment_size = 1024 > include_length = yes > check_crl = no >} > > I tryied both: > newcert.pem and/or cacert.pem > but still no communicate on debug screen: Neither of them are client certificates. newcert - server certificate cacert - ca certificate Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
tls { private_key_file = /etc/freeradius/eap/newkey.pem certificate_file = /etc/freeradius/eap/newcert.pem CA_file = /etc/freeradius/eap/eapCA/cacert.pem dh_file = /etc/freeradius/eap/dh random_file = /etc/freeradius/eap/random fragment_size = 1024 include_length = yes check_crl = no } I tryied both: newcert.pem and/or cacert.pem but still no communicate on debug screen: () Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. windows client show: verification failed. I have to do sth wrong, but I dont have any idea what. On Fri, May 15, 2009 at 2:14 PM, Ivan Kalik wrote: > > Thank you for answer. > > I put this to personal store, I think it is a client certificate, I gave > a > > commonName ca_auth > > > > > .. > > Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma, > > CN=ca_auth/emailaddress=em...@address.pl > ... > > Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma, > > CN=ca_auth/emailaddress=em...@address.pl > ... > > X509v3 Basic Constraints: > > CA:TRUE > > No, that looks like a self signed root certificate to me. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> Thank you for answer. > I put this to personal store, I think it is a client certificate, I gave a > commonName ca_auth > > .. > Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma, > CN=ca_auth/emailaddress=em...@address.pl ... > Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma, > CN=ca_auth/emailaddress=em...@address.pl ... > X509v3 Basic Constraints: > CA:TRUE No, that looks like a self signed root certificate to me. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Thank you for answer. I put this to personal store, I think it is a client certificate, I gave a commonName ca_auth Certificate: Data: Version: 3 (0x2) Serial Number: 99:61:67:27:8b:7d:0a:b1 Signature Algorithm: sha1WithRSAEncryption Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailaddress=em...@address.pl Validity Not Before: May 13 11:48:35 2004 GMT Not After : May 13 11:48:35 2007 GMT Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailaddress=em...@address.pl Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d6:58:52:3c:76:b7:42:47:e8:8f:31:c8:d2:f8: 75:b6:cb:fd:29:d9:da:a2:26:1b:4a:de:c6:3a:dd: 23:b8:ab:59:64:ca:cc:63:33:b0:d6:75:4c:d5:66: 1d:eb:e6:68:b3:53:b6:61:41:ea:ed:40:a3:49:f8: 9b:45:15:d5:86:ef:fd:57:35:ae:af:72:e4:6d:95: 3a:d2:ef:6f:de:63:7c:5b:c4:a8:dd:9f:8a:9b:dc: 28:6c:18:3b:a6:b6:28:02:91:8c:53:6f:6a:55:db: c3:89:62:24:1c:ea:a4:1c:ff:16:8c:4b:00:e9:f1: ab:96:e1:d0:3a:10:38:41:ed Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 75:F4:EE:DC:BB:08:5C:11:B9:58:9D:64:11:EB:31:47:BF:23:AE:32 X509v3 Authority Key Identifier: keyid:75:F4:EE:DC:BB:08:5C:11:B9:58:9D:64:11:EB:31:47:BF:23:AE:32 DirName:/C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailaddress=em...@address.pl serial:99:61:67:27:8B:7D:0A:B1 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 09:98:54:3d:c1:85:45:79:75:e5:c9:ed:ef:64:e2:8b:e1:5d: e6:90:4a:1e:1b:d1:83:3d:74:b3:81:39:a9:dc:cc:6c:3d:5e: 9f:6e:1c:06:6e:f6:52:40:4a:04:35:24:30:8c:73:eb:01:d6: cc:ff:7a:59:2b:72:75:7c:ed:3e:56:86:8a:db:02:66:28:06: fa:38:3b:2c:b4:e8:1f:28:22:28:07:06:48:71:59:56:39:ea: 30:05:7f:41:cb:a7:76:0c:4a:11:4f:0e:21:4e:4d:67:34:5e: 95:95:82:99:91:f1:af:af:b0:ad:d6:4c:79:90:96:f4:98:c7: 44:87 -BEGIN CERTIFICATE- MIIDSTCCArKgAwIBAgIJAJlhZyeLfQqxMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV BAYTAlBMMRUwEwYDVQQIEwxkb2xub3NsYXNraWUxDjAMBgNVBAoTBWZpcm1hMQ4w DAYDVQQLEwVmaXJtYTEQMA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqGSIb3DQEJARYQ RW1haWxAQWRkcmVzcy5wbDAeFw0wNDA1MTMxMTQ4MzVaFw0wNzA1MTMxMTQ4MzVa MHcxCzAJBgNVBAYTAlBMMRUwEwYDVQQIEwxkb2xub3NsYXNraWUxDjAMBgNVBAoT BWZpcm1hMQ4wDAYDVQQLEwVmaXJtYTEQMA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqG SIb3DQEJARYQRW1haWxAQWRkcmVzcy5wbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA1lhSPHa3QkfojzHI0vh1tsv9KdnaoiYbSt7GOt0juKtZZMrMYzOw1nVM 1WYd6+Zos1O2YUHq7UCjSfibRRXVhu/9VzWur3LkbZU60u9v3mN8W8So3Z+Km9wo bBg7prYoApGMU29qVdvDiWIkHOqkHP8WjEsA6fGrluHQOhA4Qe0CAwEAAaOB3DCB 2TAdBgNVHQ4EFgQUdfTu3LsIXBG5WJ1kEesxR78jrjIwgakGA1UdIwSBoTCBnoAU dfTu3LsIXBG5WJ1kEesxR78jrjKhe6R5MHcxCzAJBgNVBAYTAlBMMRUwEwYDVQQI Ewxkb2xub3NsYXNraWUxDjAMBgNVBAoTBWZpcm1hMQ4wDAYDVQQLEwVmaXJtYTEQ MA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqGSIb3DQEJARYQRW1haWxAQWRkcmVzcy5w bIIJAJlhZyeLfQqxMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACZhU PcGFRXl15cnt72Tii+Fd5pBKHhvRgz10s4E5qdzMbD1en24cBm72UkBKBDUkMIxz 6wHWzP96WStydXztPlaGitsCZigG+jg7LLToHygiKAcGSHFZVjnqMAV/QcundgxK EU8OIU5NZzRelZWCmZHxr6+wrdZMeZCW9JjHRIc= -END CERTIFICATE- am I correct or not? On Fri, May 15, 2009 at 12:55 PM, Ivan Kalik wrote: > > I tryied yesterday many times using diferent options but it doesnt work, > > any > > idea what can be wrong? > > Looking at this: > > >> http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj > >> > > you have put ca (ca_auth), not client certificate in the personal store. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I tryied yesterday many times using diferent options but it doesnt work, > any > idea what can be wrong? Looking at this: >> http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj >> you have put ca (ca_auth), not client certificate in the personal store. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I tryied yesterday many times using diferent options but it doesnt work, any idea what can be wrong? Bartosz. On Thu, May 14, 2009 at 3:45 PM, Bartosz Chodzinski wrote: > ok full information: > jpg with all setting on the not working client > > http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj > > I think it is properly, cause it work during eap (peap), am I wrong? > Bartosz. > > > > On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik wrote: > >> > I am sorry, I gave you wrong debug, >> > >> > whatever is marked or unmarked on checkbox >> > local connection->authentication->keep in memory information about users >> > for >> > aditional network connection >> > server does not have any new lines in debug, like nothing happend at >> all. >> > >> >> It can't find client certificate. Check certificate store and see if >> certificate is where it is suposed to be. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I know that date may be weird, but it doesnt matter debian-etch:~# date Sat May 14 15:46:10 CEST 2005 windows date may 2005, as well and switch as well, I forgot to check date when I created certificates, but afrer changing date in server and clietn it is not a problem Bartosz. On Thu, May 14, 2009 at 3:45 PM, Bartosz Chodzinski wrote: > ok full information: > jpg with all setting on the not working client > > http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj > > I think it is properly, cause it work during eap (peap), am I wrong? > Bartosz. > > > > On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik wrote: > >> > I am sorry, I gave you wrong debug, >> > >> > whatever is marked or unmarked on checkbox >> > local connection->authentication->keep in memory information about users >> > for >> > aditional network connection >> > server does not have any new lines in debug, like nothing happend at >> all. >> > >> >> It can't find client certificate. Check certificate store and see if >> certificate is where it is suposed to be. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
ok full information: jpg with all setting on the not working client http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj I think it is properly, cause it work during eap (peap), am I wrong? Bartosz. On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik wrote: > > I am sorry, I gave you wrong debug, > > > > whatever is marked or unmarked on checkbox > > local connection->authentication->keep in memory information about users > > for > > aditional network connection > > server does not have any new lines in debug, like nothing happend at all. > > > > It can't find client certificate. Check certificate store and see if > certificate is where it is suposed to be. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I am sorry, I gave you wrong debug, > > whatever is marked or unmarked on checkbox > local connection->authentication->keep in memory information about users > for > aditional network connection > server does not have any new lines in debug, like nothing happend at all. > It can't find client certificate. Check certificate store and see if certificate is where it is suposed to be. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>>What "doesn't work"? Post the debug. > server: > I dont change in my config file, is the same like in first message, > > client (win xp): > I have local connection->authentication->method->eap(peap)->properties: >validate server cert (marked checkbox), >marked cacert.pem, >secured password eap-mschapv2 - use my windows logon > > it work's properly, but only with correct user/pass in > /etc/freeradius/users > file OK. That's PEAP. > > now I change > local connection->authentication->method->smart card or other > certificate->properities: >validate server cert (marked checkbox), >marked cacert.pem, > local connection->authentication->keep in memory inf about users for > aditional network connection (unmarked checkbox - when marked nothing > happend at all) > > debug > > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, > length=159 > NAS-IP-Address = 192.168.5.206 > NAS-Port = 50046 > NAS-Port-Type = Ethernet > User-Name = "PC-01\\Administrator" > Called-Station-Id = "00-0C-30-81-9B-EE" > Calling-Station-Id = "00-0A-E4-13-1A-02" > Service-Type = Framed-User > Framed-MTU = 1500 > EAP-Message = > 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 > Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 > rlm_eap: Identity does not match User-Name, setting from EAP Identity. The name on the certificate is not the same as that User-Name. Fix that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I am sorry, I gave you wrong debug, whatever is marked or unmarked on checkbox local connection->authentication->keep in memory information about users for aditional network connection server does not have any new lines in debug, like nothing happend at all. On Thu, May 14, 2009 at 2:24 PM, Bartosz Chodzinski wrote: > >>What "doesn't work"? Post the debug. > server: > I dont change in my config file, is the same like in first message, > > client (win xp): > I have local connection->authentication->method->eap(peap)->properties: >validate server cert (marked checkbox), >marked cacert.pem, >secured password eap-mschapv2 - use my windows logon > > it work's properly, but only with correct user/pass in > /etc/freeradius/users file > > now I change > local connection->authentication->method->smart card or other > certificate->properities: >validate server cert (marked checkbox), >marked cacert.pem, > local connection->authentication->keep in memory inf about users for > aditional network connection (unmarked checkbox - when marked nothing > happend at all) > > debug > > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, > length=159 > NAS-IP-Address = 192.168.5.206 > NAS-Port = 50046 > NAS-Port-Type = Ethernet > User-Name = "PC-01\\Administrator" > Called-Station-Id = "00-0C-30-81-9B-EE" > Calling-Station-Id = "00-0A-E4-13-1A-02" > Service-Type = Framed-User > Framed-MTU = 1500 > EAP-Message = > 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 > Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 > rlm_eap: Identity does not match User-Name, setting from EAP Identity. > Sending Access-Reject of id 37 to 192.168.5.206 port 1812 > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>What "doesn't work"? Post the debug. server: I dont change in my config file, is the same like in first message, client (win xp): I have local connection->authentication->method->eap(peap)->properties: validate server cert (marked checkbox), marked cacert.pem, secured password eap-mschapv2 - use my windows logon it work's properly, but only with correct user/pass in /etc/freeradius/users file now I change local connection->authentication->method->smart card or other certificate->properities: validate server cert (marked checkbox), marked cacert.pem, local connection->authentication->keep in memory inf about users for aditional network connection (unmarked checkbox - when marked nothing happend at all) debug Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 rlm_eap: Identity does not match User-Name, setting from EAP Identity. Sending Access-Reject of id 37 to 192.168.5.206 port 1812 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>2.0.4 should be available for Debian. > I know, 2.0.4 freeradius is available for debian lenny but not etch > unfortunately. > http://packages.debian.org/search?keywords=freeradius >>2. Use EAP-TLS to connect (Smart card or certificate in Windows speak). > Could you write me where in config put that? There is nothing to configure on the server - it works in default configuration with default ca and server certificates and clients certificates made following instructions in raddb/certs/README (2.0.4 - on 1.1.3 you have to generate certificates yourself). > I tried described below but > it > doesnt work What "doesn't work"? Post the debug. > and I set up on xp: > local connection->properites->authentication->smart card or certificate, > and > I chose my cacert.pem You should import .der version for Windows. And .p12 for client certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>2.0.4 should be available for Debian. I know, 2.0.4 freeradius is available for debian lenny but not etch unfortunately. >2. Use EAP-TLS to connect (Smart card or certificate in Windows speak). Could you write me where in config put that? I tried described below but it doesnt work eap.conf: eap { default_eap_type = tls } and I set up on xp: local connection->properites->authentication->smart card or certificate, and I chose my cacert.pem how to configure it that way? thank you for rapid answer. Bartosz. On Thu, May 14, 2009 at 12:54 PM, Ivan Kalik wrote: > > I have freeradius with eap support on debian etch, radius v1.1.3 > > 2.0.4 should be available for Debian. Upgrade. Vista doesn't work with > 1.1.3. And you will have problems with XP SP3. > > > "everthing" working fine but I'd like to have much more simple > > configuration > > only by certificate and nothing more, > > so I have few question: > > > > 1. > > fragment of my log first, before question > > Listening on authentication *:1812 > > Listening on accounting *:1813 > > Ready to process requests. > > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182, > > length=159 > > NAS-IP-Address = 192.168.5.206 > > NAS-Port = 50046 > > NAS-Port-Type = Ethernet > > User-Name = "PC-01\\Administrator" > > Called-Station-Id = "00-0C-30-81-9B-EE" > > Calling-Station-Id = "00-0A-E4-13-1A-02" > > Service-Type = Framed-User > > Framed-MTU = 1500 > > EAP-Message = > > 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 > > Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 0 > > modcall[authorize]: module "preprocess" returns ok for request 0 > > modcall[authorize]: module "mschap" returns noop for request 0 > > rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up > > realm > > NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > > > my users file contain: > > "PC-01\\Administrator" User-Password == "passwd" > > > > how can I avoid this value PC-01 ?, its really annoying, I would like to > > have only real user, PC-01 is "my computer -> properties -> computer name > > -> > > full computer name". I would like to have only username (with no matter > of > > case sensitive). > > 1. Don't use windows logon name. Untick that when you are making the > connection. > > 2. You can't strip username in EAP. Use ntdomain. It's listed but > commented out in default configuration. > > > sth like > > "administrator" User-Password == "passwd" > > > > For that to work add domain bit as local realm to proxy.conf. > > > 2. > > I would like to use only certificate to check wheter or not some computer > > should have network connection, > > I dont care about login or password, > > if client has a valid cacert.pem installed on pc (windows xp) it should > > grant acces to network, is it possible to do that? > > Use EAP-TLS to connect (Smart card or certificate in Windows speak). > > > 3. > > when I read log from freeradius -X I see that one pc need to have > > 7requests > > in freeradius and in 8-th request is accepted, is it ok? > > > > Yes. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I have freeradius with eap support on debian etch, radius v1.1.3 2.0.4 should be available for Debian. Upgrade. Vista doesn't work with 1.1.3. And you will have problems with XP SP3. > "everthing" working fine but I'd like to have much more simple > configuration > only by certificate and nothing more, > so I have few question: > > 1. > fragment of my log first, before question > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182, > length=159 > NAS-IP-Address = 192.168.5.206 > NAS-Port = 50046 > NAS-Port-Type = Ethernet > User-Name = "PC-01\\Administrator" > Called-Station-Id = "00-0C-30-81-9B-EE" > Calling-Station-Id = "00-0A-E4-13-1A-02" > Service-Type = Framed-User > Framed-MTU = 1500 > EAP-Message = > 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 > Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up > realm > NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > > my users file contain: > "PC-01\\Administrator" User-Password == "passwd" > > how can I avoid this value PC-01 ?, its really annoying, I would like to > have only real user, PC-01 is "my computer -> properties -> computer name > -> > full computer name". I would like to have only username (with no matter of > case sensitive). 1. Don't use windows logon name. Untick that when you are making the connection. 2. You can't strip username in EAP. Use ntdomain. It's listed but commented out in default configuration. > sth like > "administrator" User-Password == "passwd" > For that to work add domain bit as local realm to proxy.conf. > 2. > I would like to use only certificate to check wheter or not some computer > should have network connection, > I dont care about login or password, > if client has a valid cacert.pem installed on pc (windows xp) it should > grant acces to network, is it possible to do that? Use EAP-TLS to connect (Smart card or certificate in Windows speak). > 3. > when I read log from freeradius -X I see that one pc need to have > 7requests > in freeradius and in 8-th request is accepted, is it ok? > Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html