Re: question about windows users
On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik wrote:
> > Problem was solved thanks to Ivan assistance,
> > Main problem was on switch side and its configuration,
> > Second problem was - proper certificate to proper certificate store
> > And third - in my head :).
>
> OK. Now that you have established that client certificates signed by CA
> work with XP SP3, can you check if server signed certificates (made by
> original Makefile) also work, or is XP SP3 rejecting them. Could you
> report to the list with the result.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
No, standard Makefile is no working
freeradius -X output:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=160,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "u...@example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x3fa86bcca888e9174c33ff2206178e97
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "u...@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 160 to 192.168.5.206 port 1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=161,
length=150
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "u...@example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf
EAP-Message = 0x02010006030d
Message-Authenticator = 0xe1ef7b423be0a169598a253da36247c0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "u...@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 161 to 192.168.5.206 port 1812
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x0a8a026e0b880fea4f51a121d61eb2bf
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=162,
length=224
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "u...@example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e0b880fea4f51a121d61eb2bf
EAP-Message =
0x020200500d8000461603010041013d03014a1fb693a40277392668182f296a92feb2a08a3e25a3c170dfa77f83d18f56941600040005000a0009006400
62000300060013001200630100
Message-Authenticator = 0xca0d351030f630125dd9b87f5d39e7e9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "u...@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 80
[eap] No EAP
Re: question about windows users
> Problem was solved thanks to Ivan assistance, > Main problem was on switch side and its configuration, > Second problem was - proper certificate to proper certificate store > And third - in my head :). OK. Now that you have established that client certificates signed by CA work with XP SP3, can you check if server signed certificates (made by original Makefile) also work, or is XP SP3 rejecting them. Could you report to the list with the result. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Problem was solved thanks to Ivan assistance, Main problem was on switch side and its configuration, Second problem was - proper certificate to proper certificate store And third - in my head :). Thank you again Bartosz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>So, check EAP settings on your windows machine - have you cleared server
certificate validation box?
yes I tried with such settings, after that my freeradius -X logs:
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=245,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user_certificate"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0201001501757365725f6365727469666963617465
Message-Authenticator = 0x2329ec2c85dc1d283a985e213260a2c4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user_certificate", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 245 to 192.168.5.206 port 1812
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x7895d3087897cab912734ed23163fd96
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 245 with timestamp +137
Ready to process requests.
On Wed, May 20, 2009 at 10:24 PM, Ivan Kalik wrote:
> >> Check connection settings on Windows machine.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> > I am using a standard settings of eap.conf
> > when I change eap.conf to:
> > # default_eap_type = md5
> > default_eap_type = peap
> >
>
> That's not Windows machine - that's on your radius server. Changing that
> is cosmetic - it won't do anything substantial.
>
> http://deployingradius.com/
>
> Have you read this? You are trying to do step 4 without sorting out step
> 2. So, check EAP settings on your windows machine - have you cleared
> server certificate validation box?
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>> Check connection settings on Windows machine. >> >> Ivan Kalik >> Kalik Informatika ISP > I am using a standard settings of eap.conf > when I change eap.conf to: > # default_eap_type = md5 > default_eap_type = peap > That's not Windows machine - that's on your radius server. Changing that is cosmetic - it won't do anything substantial. http://deployingradius.com/ Have you read this? You are trying to do step 4 without sorting out step 2. So, check EAP settings on your windows machine - have you cleared server certificate validation box? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I am using a standard settings of eap.conf
when I change eap.conf to:
# default_eap_type = md5
default_eap_type = peap
I have similar communicate
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=242,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user_certificate"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x021501757365725f6365727469666963617465
Message-Authenticator = 0x4fea88a60594825de9229268206fb02d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user_certificate", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 242 to 192.168.5.206 port 1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x54cef72d54cfee66f11829ca8f9f95d7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 242 with timestamp +37
Ready to process requests.
On Wed, May 20, 2009 at 3:51 PM, Ivan Kalik wrote:
> > [eap] processing type md5
> > rlm_eap_md5: Issuing Challenge
>
> Hm, you are saying you want to do EAP-TLS but your server reports that it
> has got EAP-MD5 request. Check connection settings on Windows machine.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
ok I changed it to default
proxy_requests = yes
$INCLUDE proxy.conf
/etc/freeradius/certs/Makefile
was
#client.crt: client.csr server.crt server.key index.txt serial
# openssl ca -batch -keyfile server.key -cert server.crt -in
client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext
-extfile xpextensions -config ./client.cnf
is now:
client.crt: client.csr ca.pem ca.key index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key
$(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
changes in client.cnf
was:
certificate = $dir/server.pem
serial = $dir/serial
private_key = $dir/server.key
commonName = u...@example.com
is now:
certificate = $dir/ca.pem
serial = $dir/serial
private_key = $dir/ca.key
commonName = user_certificate
now after instalation ca.der and client.p12 in windows everything in
certificate stores seams to be ok.
there is no exclamation mark on user_certificate, and certification path is
ok
back to the server:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=240,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user_certificate"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x021501757365725f6365727469666963617465
Message-Authenticator = 0x0d65a52fd78035c3c828c30d2a2442d9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user_certificate", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 240 to 192.168.5.206 port 1812
EAP-Message = 0x0101001604100c91af03e9cd5c25126407d36f22684a
Message-Authenticator = 0x
State = 0xb5a5cfd0b5a4cb20491e5ee122e4a622
Finished request 0.
Going to the next request
On Wed, May 20, 2009 at 2:39 PM, Ivan Kalik wrote:
> >>> The steps you took show that you are NOT following the guide.
> >>> Good luck. You clearly are *not* interested in solving the problem.
> >
> > the guide in radiusd.conf says:
> > #The server has proxying turned on by default. If your system is NOT
> > # set up to proxy requests to another server, then you can turn proxying
> > # off here. This will save a small amount of resources on the server.
> > I tried to read carefully with undrestanding, I dont use proxy, my system
> > not sending request to another server, so I turned it off.
>
> You might not want to, but you *are* proxying your requests. You have
> created client certificate with predefined data in client.cnf - which is
> part of the proxy demonstration setup. So, leave proxy settings alone and
> concentrate on doing what you have been advised - changing data in
> client.cnf so created client certificate won't have @example.com as part
> of the username.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>> The steps you took show that you are NOT following the guide. >>> Good luck. You clearly are *not* interested in solving the problem. > > the guide in radiusd.conf says: > #The server has proxying turned on by default. If your system is NOT > # set up to proxy requests to another server, then you can turn proxying > # off here. This will save a small amount of resources on the server. > I tried to read carefully with undrestanding, I dont use proxy, my system > not sending request to another server, so I turned it off. You might not want to, but you *are* proxying your requests. You have created client certificate with predefined data in client.cnf - which is part of the proxy demonstration setup. So, leave proxy settings alone and concentrate on doing what you have been advised - changing data in client.cnf so created client certificate won't have @example.com as part of the username. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>> The steps you took show that you are NOT following the guide. >> Good luck. You clearly are *not* interested in solving the problem. the guide in radiusd.conf says: #The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. I tried to read carefully with undrestanding, I dont use proxy, my system not sending request to another server, so I turned it off. On Wed, May 20, 2009 at 1:35 PM, Alan DeKok wrote: > Bartosz Chodzinski wrote: > > back to the begining > > and using the most simple conf. > ... > > now I have clear configuration and make simply changes > > > > changes: > > radiusd.conf > > proxy_requests = no #was yes, set to no cause I dont need it > > The guide didn't say to do that. > > ... > > I still have a problem - described in prvious post > > The steps you took show that you are NOT following the guide. > > Good luck. You clearly are *not* interested in solving the problem. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> next I made client certificate (using standard scripts) > #cd /etc/freeradius/certs > #make client > and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer > Travel Mate 380 > certificates installed in Trusted Root CA and Personal storages (I deleted > all previous certs on that system) > > I still have a problem - described in prvious post >>exclamation mark on client certificate: >>"windows does not have enough information to verify this certificate" >>"you have private key that corresponds to this certificate" >>http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu > but I am frightened to make any changes without your permision in > /etc/freeradius/certs/Makefile, and evethough I have your permission I > still > dont know what to change Yes, we have been through this before. Change mak clients in Makefile, so that it uses ca and not server certificate to sign client certificates. I would create changes and save them as Makefile.CA. Perhaps that can be added into the distribution, so you would just rename Makefile to Makefile.old and Makefile.CA to Makefile in order to make this switch (and add comments about that in README file). > I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I > did > not find what to change in this file Because that's openSSL stuff, not Freeradius. If you don't know what to change, I will post this file overnight, when I have a bit more time. > Ivan write: >>Use your own domain. For EAP-TLS - no modification needed. I have seen >> you >>going on about PEAP as well. If those users are also using format >>u...@your_domain, then create local realm your_domain - it won't >> interfere >>with EAP-TLS and will create Stripped-User-Name that can be used for >>authentication. > I dont want to have a domain yet, > no usernames, no password for usernames, no proxies, no domains at all Yet: > User-Name = "u...@example.com" you created the user with the domain. As I said previously, there are preset example files in the default configuration. You need to alter clent.cnf and enter details for your test user without the domain in the name. If you need guidance about altering those files you should look it up on openSSL site. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote: > back to the begining > and using the most simple conf. ... > now I have clear configuration and make simply changes > > changes: > radiusd.conf > proxy_requests = no #was yes, set to no cause I dont need it The guide didn't say to do that. ... > I still have a problem - described in prvious post The steps you took show that you are NOT following the guide. Good luck. You clearly are *not* interested in solving the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
back to the begining
and using the most simple conf.
to be sure that I have clear configuration
#apt-get remove freeradius
#dpkg -P freeradius
#dpkg -i freeradius_2.1.6-0_i386.deb
server is Debian etchnhalf, it is virtual server on VMware ESX Server 3i,
3.5.0
now I have clear configuration and make simply changes
changes:
radiusd.conf
proxy_requests = no #was yes, set to no cause I dont need it
#$INCLUDE proxy.conf #was uncommented, see above
eap.conf
no changes at all
clients.conf
add a client - 192.168.5.0/24 (client Cisco 2950)
next I made client certificate (using standard scripts)
#cd /etc/freeradius/certs
#make client
and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer
Travel Mate 380
certificates installed in Trusted Root CA and Personal storages (I deleted
all previous certs on that system)
I still have a problem - described in prvious post
>exclamation mark on client certificate:
>"windows does not have enough information to verify this certificate"
>"you have private key that corresponds to this certificate"
>http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu
but I am frightened to make any changes without your permision in
/etc/freeradius/certs/Makefile, and evethough I have your permission I still
dont know what to change
I get familiar with http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ but I did
not find what to change in this file
Ivan write:
>Use your own domain. For EAP-TLS - no modification needed. I have seen you
>going on about PEAP as well. If those users are also using format
>u...@your_domain, then create local realm your_domain - it won't interfere
>with EAP-TLS and will create Stripped-User-Name that can be used for
>authentication.
I dont want to have a domain yet, all I want to have at the beggining:
server radius + server certificate (common name: server_cert - signed by
my_radius_CA)
clients radius (cisco 2950)
user radius (winxp) + client certificate (common name: client_cert - signed
by my_radius_CA)
no usernames, no password for usernames, no proxies, no domains at all
I used files - ca, server, client, da, random created by
/etc/freeradius/certs/bootstrap script
I know that I am at the start of the topic, I am listening, really.
Bartosz.
freeradius -X
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=226,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "u...@example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x9bcadf204cf30292cfb7f1abed75501b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "u...@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 226 to 192.168.5.206 port 1812
EAP-Message = 0x0101001604108a193ba39f65974f35dc5b3140db877f
Message-Authenticator = 0x
State = 0x495360bd49526405f11f72d516a953d3
Finished request 0.
Going to the next request
On Wed, May 20, 2009 at 11:38 AM, Ivan Kalik wrote:
> > could you give me good freeradius guide for dummies - I think I need it
> :)
> >
>
> Guide: don't make any changes to the default configuration unless you know
> what you are doing. That's it.
>
> Server is configured by default to handle EAP-TLS. There is nothing that
> you need to do to make it happen.
>
> Now, about your problem: freeradius uses fake realm example.com - for
> examples. Of proxying, fail-over home servers, use of vitual servers etc.
> Why are *you* using it as well? These examples are not what you want to
> do.
>
> Use your own domain. For EAP-TLS - no modification needed. I have seen you
> going on about PEAP as well. If those users are also using format
> u...@your_domain, then create local realm your_domain - it won't interfere
> with EAP-TLS and will create Stripped-User-Name that can be used for
> authentication.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> could you give me good freeradius guide for dummies - I think I need it :) > Guide: don't make any changes to the default configuration unless you know what you are doing. That's it. Server is configured by default to handle EAP-TLS. There is nothing that you need to do to make it happen. Now, about your problem: freeradius uses fake realm example.com - for examples. Of proxying, fail-over home servers, use of vitual servers etc. Why are *you* using it as well? These examples are not what you want to do. Use your own domain. For EAP-TLS - no modification needed. I have seen you going on about PEAP as well. If those users are also using format u...@your_domain, then create local realm your_domain - it won't interfere with EAP-TLS and will create Stripped-User-Name that can be used for authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote: > I am not saying that you are lying, I even didnt think like that, I > never intend to insult you, You're not insulting us. I am asking you to *think* about what you are saying. > yes, it annyoing me - I start to do something with radius cause I felt > that is good idea to know how to do it, and how it works but I meet the > wall I can't crush so I am often have to countig to 10 to stay on ground. > back to the subject: No. You are NOT listening. You are NOT following instructions. We do NOT want to see copies of your configuration. If your configuration is the SAME as the default, then we've already seen it many times. If your configuration is NOT the same as the default, then you are changing it after being told to NOT change it. Follow instructions and it will work. This is the LAST time I will say this. If you keep sending email that shows you are NOT following instructions, I will NOT respond to it. I cannot help you if you refuse to follow my instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hey People!,
I am not saying that you are lying, I even didnt think like that, I never
intend to insult you,
for god sake, I am asking for help - that mean that you are the masters and
I am the student
yes, it annyoing me - I start to do something with radius cause I felt that
is good idea to know how to do it, and how it works but I meet the wall I
can't crush so I am often have to countig to 10 to stay on ground.
back to the subject:
proxy.conf
proxy server {
default_fallback = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
require_message_authenticator = no
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server virtual.example.com {
virtual_server = virtual.example.com
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
#auth_pool = my_auth_failover #commented by me /by Ivan suggestion/
}
realm LOCAL {
}
realm NULL {
secret = password
}
On Wed, May 20, 2009 at 10:21 AM, Alan DeKok wrote:
> Bartosz Chodzinski wrote:
> > could you give me good freeradius guide for dummies - I think I need it
> :)
>
> $ man radiusd
>
> It contains a section describing how to make changes to the
> configuration files.
>
> For EAP, see http://deployingradius.com
>
> The front page contains 4 steps to get EAP working. Follow the steps.
> Start with the DEFAULT configuration. Do NOT make changes unless the
> guide says to. EAP *will* work.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote: > could you give me good freeradius guide for dummies - I think I need it :) $ man radiusd It contains a section describing how to make changes to the configuration files. For EAP, see http://deployingradius.com The front page contains 4 steps to get EAP working. Follow the steps. Start with the DEFAULT configuration. Do NOT make changes unless the guide says to. EAP *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hi,
> realm example.com {
> }
> realm LOCAL {
> }
> realm NULL {
> }
> /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist
thats very interesting - because in the default proxy.conf there IS an
entry for home_server localhost.
so, I'll repeat once again, do not just randomly edit and remove config entries.
just change or add the few lines that you need and 'it will work'
I'm not lying - i've been using this software since the very early days
when it didnt 'just work' - going through the 1.0.x and 1.1.x where it started
to work and now with the joys of 2.1.x where its pretty amazingly almost ready
for production use with little or no changes!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
could you give me good freeradius guide for dummies - I think I need it :)
On Wed, May 20, 2009 at 9:30 AM, Alan DeKok wrote:
> Bartosz Chodzinski wrote:
> > "make the basic changes to your eap.conf and client.conf it will work"
> > it wont.
>
> You can believe that, which means that everyone else is lying. They
> just download the software, follow the guides, and it "just works".
> But... because it doesn't work for you, they must be lying.
>
> Or, maybe you didn't follow the guides.
>
> > are all of you had so many troubles with radius or only me has so bad
> luck
>
> Many people have problems. Those problems are almost always caused by
> doing *too much*, without understanding what they're doing.
>
> > my realm example.com was:
>
> And here we have a problem. The EAP guides do NOT say to add realms.
> Why are you doing this?
>
> Follow the guides. Do nothing MORE than what the guides say.
>
> If you do NOT follow the guides, then do NOT complain that they don't
> work.
>
> > when I changed in proxy.conf it to
> >
> > realm example.com {
> > }
> >
> > radius wont start
> ...
> > realm example.com {
> > }
>
> So it IS loading the "example.com" realm.
>
> > realm LOCAL {
> > }
> > realm NULL {
> > }
> > /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist
>
> Is it really that difficult to read the debugging output?
>
> 1) It loads the realm "example.com" just fine. No problems.
>
> 2) Line 498 of /etc/freeradius/proxy.conf refers to a home server
> that doesn't exist. This error has *NOTHING* to do with the
> realm example.com
>
> The issue here is that you are NOT following the guides, and you are
> NOT reading the debugging output.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Bartosz Chodzinski wrote:
> "make the basic changes to your eap.conf and client.conf it will work"
> it wont.
You can believe that, which means that everyone else is lying. They
just download the software, follow the guides, and it "just works".
But... because it doesn't work for you, they must be lying.
Or, maybe you didn't follow the guides.
> are all of you had so many troubles with radius or only me has so bad luck
Many people have problems. Those problems are almost always caused by
doing *too much*, without understanding what they're doing.
> my realm example.com was:
And here we have a problem. The EAP guides do NOT say to add realms.
Why are you doing this?
Follow the guides. Do nothing MORE than what the guides say.
If you do NOT follow the guides, then do NOT complain that they don't
work.
> when I changed in proxy.conf it to
>
> realm example.com {
> }
>
> radius wont start
...
> realm example.com {
> }
So it IS loading the "example.com" realm.
> realm LOCAL {
> }
> realm NULL {
> }
> /etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist
Is it really that difficult to read the debugging output?
1) It loads the realm "example.com" just fine. No problems.
2) Line 498 of /etc/freeradius/proxy.conf refers to a home server
that doesn't exist. This error has *NOTHING* to do with the
realm example.com
The issue here is that you are NOT following the guides, and you are
NOT reading the debugging output.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>Don't strip the username. Why do you proxy this anyway? Create it as a
local realm:
I am using basic configuration without changes in config cause:
>so..somewhere along the line you are playing with the User-Name
attribute...something
>which you cannot do with EAP - if you take a standard 2.1.6 install and
make the basic changes
>to your eap.conf and clients.conf it will work.
"make the basic changes to your eap.conf and client.conf it will work"
it wont.
are all of you had so many troubles with radius or only me has so bad luck
I tried to make my first config a year ago, only have succes with eap=md5,
after month figting with peap I gave up,
now I have some communicates on screen, but answers "basic changes" are
really not helpful.
my realm example.com was:
realm example.com {
auth_pool = my_auth_failover
}
when I changed in proxy.conf it to
realm example.com {
}
radius wont start
#freeradius -X
...
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm example.com {
}
realm LOCAL {
}
realm NULL {
}
/etc/freeradius/proxy.conf[498]: home_server "localhost" does not exist
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I created once again certs by myself, giving common name for user cert the
> same like in example
> u...@example.com, I place them on xp client - both of them looks ok,
> now something is happening (anyway like Aragorn said: "still not king"):
>
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206,
> length=147
...
> User-Name = "u...@example.com"
...
> [suffix] Found realm "example.com"
> [suffix] Adding Stripped-User-Name = "user"
> [suffix] Adding Realm = "example.com"
> [suffix] Proxying request from user user to realm example.com
> [suffix] Preparing to proxy authentication request to realm "example.com"
> ++[suffix] returns updated
...
> Sending Access-Request of id 14 to 127.0.0.1 port 1812
...
> User-Name = "user"
...
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Identity does not match User-Name, setting from EAP Identity.
...
Don't strip the username. Why do you proxy this anyway? Create it as a
local realm:
realm example.com {
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I created once again certs by myself, giving common name for user cert the
same like in example
u...@example.com, I place them on xp client - both of them looks ok,
now something is happening (anyway like Aragorn said: "still not king"):
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "u...@example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "u...@example.com"
[suffix] Found realm "example.com"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com. Not doing
EAP.
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 14 to 127.0.0.1 port 1812
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x
Proxy-State = 0x323036
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 14 to 127.0.0.1 port 1812
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x
Proxy-State = 0x323036
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14,
length=140
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633
Proxy-State = 0x323036
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 14 to 127.0.0.1 port 1814
Proxy-State = 0x323036
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14,
length=25
Proxy-State = 0x323036
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> u...@example.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 206 to 192.168.5.206 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 14 with timestamp +43
Cleaning up request 0 ID 206 with timestamp +43
Ready to process requests.
On Tue, May 19, 2009
Re: question about windows users
So in other words this script is for all clients exept microsofts-like ? >You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. do you have such altered makefile? On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik wrote: > > # make client > > > > next I made a copy of ca.der and client.p12 to xp directory, > > next I opened mmc and install both of them to Trusted Root Certificate > > Authorities and to Personal > > > > exclamation mark on client certificate: > > "windows does not have enough information to verify this certificate" > > "you have private key that corresponds to this certificate" > > > > This is explained in raddb/certs/README - Compatibility. You should try > altering make client command in Makefile so that client certificates are > signed by ca and not server certificate. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> # make client > > next I made a copy of ca.der and client.p12 to xp directory, > next I opened mmc and install both of them to Trusted Root Certificate > Authorities and to Personal > > exclamation mark on client certificate: > "windows does not have enough information to verify this certificate" > "you have private key that corresponds to this certificate" > This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Ok, I downloaded 2.1.6
# unp freeradius-server-2.1.6.tar.gz
# cd /usr/src/freeradius-server-2.1.6
# dpkg-buildpackage -rfakeroot -uc -us
# dpkg -i freeradius_2.1.6-0_i386.deb
- instalator create ca and server certs in /etc/freeradius/certs directory
# cd /etc/freeradius/certs
# make client
next I made a copy of ca.der and client.p12 to xp directory,
next I opened mmc and install both of them to Trusted Root Certificate
Authorities and to Personal
exclamation mark on client certificate:
"windows does not have enough information to verify this certificate"
"you have private key that corresponds to this certificate"
http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu
changes in /etc/freeradius/eap.conf
only one line has been changed:
default_eap_type = peap
changes in /etc/freeradius/clients.conf
client 192.168.5.0/24 {
secret = password
shortname = private-network-2
}
log:
#/etc/init.d/freeradius stop
#freeradius -X
FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on May 19 2009
at 09:45:44
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/linelog
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/control-socket
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freera
Re: question about windows users
Hi, > which Linux distribution should I use? So far I tryied debian-etchnhalf, or > CentOS, and in every How to its written that I have to compile it by mysefl. > This how to didnt work anyway... so I will try what you will suggest. > Bartosz. theres nothing wrong with compiling it yourself - so long as you have the right dev libraries installed so all the bits you want get compiled.. you can check whats not going to be built be parsing the configure output eg ./configure --with-options-you-want | grep WARNING ignore the WARNING entries for things you care not about and fix the WARNING that you need (eap PEAP) by installing the needed librarieseg openssl-devel some distros come with a more recent FreeRADIUS (or have RPM / PKG available for them - eg Fedora Core 11) the default config from the source build is pretty much ready for anything you want after just editing a few lines in the config (so long as the supporting code - eg EAP ) has been compiled alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>so..somewhere along the line you are playing with the User-Name attribute...something >which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes >to your eap.conf and clients.conf it will work. which Linux distribution should I use? So far I tryied debian-etchnhalf, or CentOS, and in every How to its written that I have to compile it by mysefl. This how to didnt work anyway... so I will try what you will suggest. Bartosz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hi, > ok (you guys propably hate me :) but please could you still give me the > answers as you did before) > but back to the subject: > I did like you said, > I installed 2.0.4 version (compiled using suggestions from: > http://www.fatofthelan.com/articles/articles.php?pid=27 > http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html) you are using an old version, you are using random 3rd party instructions of dubious dates and knowledge. > first one: > when I open properites of client certificate on XP using mmc-certificates > console I have the information that "Windows doesnt have enough information > to verify this certificate" "You have proper private key to this > certificate" (it is non-english system so its translation but I think > translation is ok) this means you didnt install the CA - ensure you've added it to the trusted CA list in the system - use the certificate MMC Snapin. > second one: original packet has this: > User-Name = "u...@example.com" this is then proxied to the system handling example.com: > rlm_realm: Looking up realm "example.com" for User-Name = " > u...@example.com" > rlm_realm: Found realm "example.com" > rlm_realm: Adding Stripped-User-Name = "user" > rlm_realm: Adding Realm = "example.com" > rlm_realm: Proxying request from user user to realm example.com > rlm_realm: Preparing to proxy authentication request to realm " > example.com" > ++[suffix] returns updated ..which then says this: > rlm_eap: Identity does not match User-Name, setting from EAP Identity. > rlm_eap: Failed in handler so..somewhere along the line you are playing with the User-Name attribute...something which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes to your eap.conf and clients.conf it will work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I installed 2.0.4 version (compiled using suggestions from: > http://www.fatofthelan.com/articles/articles.php?pid=27 > http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html) > If you downloaded current version, you wouldn't need to ask. You have to change makefile, so client certificates are signed by the ca and not server certificate. MS introduced that glitch post XP SP2. > > second one: > rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=138, > length=147 ... > User-Name = "u...@example.com" ... > rlm_realm: Found realm "example.com" > rlm_realm: Adding Stripped-User-Name = "user" > rlm_realm: Adding Realm = "example.com" > rlm_realm: Proxying request from user user to realm example.com ... > Sending Access-Request of id 188 to 127.0.0.1 port 1812 ... > User-Name = "user" ... > rlm_eap: Identity does not match User-Name, setting from EAP Identity. > rlm_eap: Failed in handler > ++[eap] returns invalid > auth: Failed to validate the user. You can't strip the username in EAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
ok (you guys propably hate me :) but please could you still give me the
answers as you did before)
but back to the subject:
I did like you said,
I installed 2.0.4 version (compiled using suggestions from:
http://www.fatofthelan.com/articles/articles.php?pid=27
http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html)
Next, I make a one change in eap.conf
default_eap_type = peap #was md5
and I add my switch-client to clients.conf
#cd /etc/freeradius/certs
#rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
I edited:
ca.cnf, client.cnf, server.cnf and I change line in everyone
default_bits= 1024 #was 2048
next:
#make ca ca.der dh random server client
Then I make the copy of ca.der and client.p12 to Windows, both of them are
installed in CA and Personal directory
And two things:
first one:
when I open properites of client certificate on XP using mmc-certificates
console I have the information that "Windows doesnt have enough information
to verify this certificate" "You have proper private key to this
certificate" (it is non-english system so its translation but I think
translation is ok)
second one:
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 18 2009
at 12:50:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
user = "freerad"
group = "freerad"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.5.0/24 {
require_message_authenticator = no
secret = "windows"
shortname = "private-network-2"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryptio
Re: question about windows users
Bartosz Chodzinski wrote: > /etc/freeradius/certs/README I've never understood why people think it's useful to post documentation from the server on this list. Do you think we haven't seen it? > and something happend: > ( I think key information is > TLS_accept:error in SSLv3 read client certificate A > rlm_eap: SSL error error::lib(0):func(0):reason(0) > but uncle google find as many diferent answers as peple having this problem) It means that you're running a server that is YEARS out of date. Why not use a more recent version? > log freeradius -X: > Sending Access-Challenge of id 115 to 192.168.5.206 port 1812 > EAP-Message = > 0x010b00350d80002b1403010001011603010020735b6dedb59fdb27811198c86a86bb2fdf2e96ce8f59031cc76f36b80bf1d04c > Message-Authenticator = 0x > State = 0x9f4e794b784914b1f67ff19696408712 > Finished request 9 > Going to the next request > Waking up in 5 seconds... > --- Walking the entire request list --- > Cleaning up request 5 ID 111 with timestamp 416c8b35 This is in the FAQ. Go read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> And I put cliet_cert.pem to both certificate stores Trusted CA and > Personal > You should import .p12 version onto the client. > Are you sure that I should not change anything in my server config files > Any particular reason you are creating certificates yourself? Why aren't you using scripts from raddb/certs directiory? Follow instructions in raddb/certs/ README. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Thanks,
I created certificate
openssl req -new -keyout /etc/freeradius/eap/client_key.pem -out
/etc/freeradius/eap/client_req.pem -days 730 -passin pass:password -passout
pass:password
openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out
/etc/freeradius/eap/client_cert.pem -passin pass:password -key password
-extensions xpclient_ext -extfile /etc/freeradius/eap/xpextensions -infiles
/etc/freeradius/eap/client_req.pem
And I put cliet_cert.pem to both certificate stores Trusted CA and Personal
Are you sure that I should not change anything in my server config files
Anyway it is still not working :(.
Bartosz
On Fri, May 15, 2009 at 2:38 PM, Ivan Kalik wrote:
> > tls {
> > private_key_file = /etc/freeradius/eap/newkey.pem
> > certificate_file = /etc/freeradius/eap/newcert.pem
> > CA_file = /etc/freeradius/eap/eapCA/cacert.pem
> > dh_file = /etc/freeradius/eap/dh
> > random_file = /etc/freeradius/eap/random
> > fragment_size = 1024
> > include_length = yes
> > check_crl = no
> >}
> >
> > I tryied both:
> > newcert.pem and/or cacert.pem
> > but still no communicate on debug screen:
>
> Neither of them are client certificates.
>
> newcert - server certificate
> cacert - ca certificate
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> tls {
> private_key_file = /etc/freeradius/eap/newkey.pem
> certificate_file = /etc/freeradius/eap/newcert.pem
> CA_file = /etc/freeradius/eap/eapCA/cacert.pem
> dh_file = /etc/freeradius/eap/dh
> random_file = /etc/freeradius/eap/random
> fragment_size = 1024
> include_length = yes
> check_crl = no
>}
>
> I tryied both:
> newcert.pem and/or cacert.pem
> but still no communicate on debug screen:
Neither of them are client certificates.
newcert - server certificate
cacert - ca certificate
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
tls {
private_key_file = /etc/freeradius/eap/newkey.pem
certificate_file = /etc/freeradius/eap/newcert.pem
CA_file = /etc/freeradius/eap/eapCA/cacert.pem
dh_file = /etc/freeradius/eap/dh
random_file = /etc/freeradius/eap/random
fragment_size = 1024
include_length = yes
check_crl = no
}
I tryied both:
newcert.pem and/or cacert.pem
but still no communicate on debug screen:
()
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
windows client show: verification failed.
I have to do sth wrong, but I dont have any idea what.
On Fri, May 15, 2009 at 2:14 PM, Ivan Kalik wrote:
> > Thank you for answer.
> > I put this to personal store, I think it is a client certificate, I gave
> a
> > commonName ca_auth
> >
> >
> ..
> > Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma,
> > CN=ca_auth/emailaddress=em...@address.pl
> ...
> > Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma,
> > CN=ca_auth/emailaddress=em...@address.pl
> ...
> > X509v3 Basic Constraints:
> > CA:TRUE
>
> No, that looks like a self signed root certificate to me.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> Thank you for answer. > I put this to personal store, I think it is a client certificate, I gave a > commonName ca_auth > > .. > Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma, > CN=ca_auth/emailaddress=em...@address.pl ... > Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma, > CN=ca_auth/emailaddress=em...@address.pl ... > X509v3 Basic Constraints: > CA:TRUE No, that looks like a self signed root certificate to me. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Thank you for answer. I put this to personal store, I think it is a client certificate, I gave a commonName ca_auth Certificate: Data: Version: 3 (0x2) Serial Number: 99:61:67:27:8b:7d:0a:b1 Signature Algorithm: sha1WithRSAEncryption Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailaddress=em...@address.pl Validity Not Before: May 13 11:48:35 2004 GMT Not After : May 13 11:48:35 2007 GMT Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma, CN=ca_auth/emailaddress=em...@address.pl Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d6:58:52:3c:76:b7:42:47:e8:8f:31:c8:d2:f8: 75:b6:cb:fd:29:d9:da:a2:26:1b:4a:de:c6:3a:dd: 23:b8:ab:59:64:ca:cc:63:33:b0:d6:75:4c:d5:66: 1d:eb:e6:68:b3:53:b6:61:41:ea:ed:40:a3:49:f8: 9b:45:15:d5:86:ef:fd:57:35:ae:af:72:e4:6d:95: 3a:d2:ef:6f:de:63:7c:5b:c4:a8:dd:9f:8a:9b:dc: 28:6c:18:3b:a6:b6:28:02:91:8c:53:6f:6a:55:db: c3:89:62:24:1c:ea:a4:1c:ff:16:8c:4b:00:e9:f1: ab:96:e1:d0:3a:10:38:41:ed Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 75:F4:EE:DC:BB:08:5C:11:B9:58:9D:64:11:EB:31:47:BF:23:AE:32 X509v3 Authority Key Identifier: keyid:75:F4:EE:DC:BB:08:5C:11:B9:58:9D:64:11:EB:31:47:BF:23:AE:32 DirName:/C=PL/ST=dolnoslaskie/O=firma/OU=firma/CN=ca_auth/emailaddress=em...@address.pl serial:99:61:67:27:8B:7D:0A:B1 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 09:98:54:3d:c1:85:45:79:75:e5:c9:ed:ef:64:e2:8b:e1:5d: e6:90:4a:1e:1b:d1:83:3d:74:b3:81:39:a9:dc:cc:6c:3d:5e: 9f:6e:1c:06:6e:f6:52:40:4a:04:35:24:30:8c:73:eb:01:d6: cc:ff:7a:59:2b:72:75:7c:ed:3e:56:86:8a:db:02:66:28:06: fa:38:3b:2c:b4:e8:1f:28:22:28:07:06:48:71:59:56:39:ea: 30:05:7f:41:cb:a7:76:0c:4a:11:4f:0e:21:4e:4d:67:34:5e: 95:95:82:99:91:f1:af:af:b0:ad:d6:4c:79:90:96:f4:98:c7: 44:87 -BEGIN CERTIFICATE- MIIDSTCCArKgAwIBAgIJAJlhZyeLfQqxMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV BAYTAlBMMRUwEwYDVQQIEwxkb2xub3NsYXNraWUxDjAMBgNVBAoTBWZpcm1hMQ4w DAYDVQQLEwVmaXJtYTEQMA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqGSIb3DQEJARYQ RW1haWxAQWRkcmVzcy5wbDAeFw0wNDA1MTMxMTQ4MzVaFw0wNzA1MTMxMTQ4MzVa MHcxCzAJBgNVBAYTAlBMMRUwEwYDVQQIEwxkb2xub3NsYXNraWUxDjAMBgNVBAoT BWZpcm1hMQ4wDAYDVQQLEwVmaXJtYTEQMA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqG SIb3DQEJARYQRW1haWxAQWRkcmVzcy5wbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA1lhSPHa3QkfojzHI0vh1tsv9KdnaoiYbSt7GOt0juKtZZMrMYzOw1nVM 1WYd6+Zos1O2YUHq7UCjSfibRRXVhu/9VzWur3LkbZU60u9v3mN8W8So3Z+Km9wo bBg7prYoApGMU29qVdvDiWIkHOqkHP8WjEsA6fGrluHQOhA4Qe0CAwEAAaOB3DCB 2TAdBgNVHQ4EFgQUdfTu3LsIXBG5WJ1kEesxR78jrjIwgakGA1UdIwSBoTCBnoAU dfTu3LsIXBG5WJ1kEesxR78jrjKhe6R5MHcxCzAJBgNVBAYTAlBMMRUwEwYDVQQI Ewxkb2xub3NsYXNraWUxDjAMBgNVBAoTBWZpcm1hMQ4wDAYDVQQLEwVmaXJtYTEQ MA4GA1UEAxQHY2FfYXV0aDEfMB0GCSqGSIb3DQEJARYQRW1haWxAQWRkcmVzcy5w bIIJAJlhZyeLfQqxMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACZhU PcGFRXl15cnt72Tii+Fd5pBKHhvRgz10s4E5qdzMbD1en24cBm72UkBKBDUkMIxz 6wHWzP96WStydXztPlaGitsCZigG+jg7LLToHygiKAcGSHFZVjnqMAV/QcundgxK EU8OIU5NZzRelZWCmZHxr6+wrdZMeZCW9JjHRIc= -END CERTIFICATE- am I correct or not? On Fri, May 15, 2009 at 12:55 PM, Ivan Kalik wrote: > > I tryied yesterday many times using diferent options but it doesnt work, > > any > > idea what can be wrong? > > Looking at this: > > >> http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj > >> > > you have put ca (ca_auth), not client certificate in the personal store. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I tryied yesterday many times using diferent options but it doesnt work, > any > idea what can be wrong? Looking at this: >> http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj >> you have put ca (ca_auth), not client certificate in the personal store. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I tryied yesterday many times using diferent options but it doesnt work, any idea what can be wrong? Bartosz. On Thu, May 14, 2009 at 3:45 PM, Bartosz Chodzinski wrote: > ok full information: > jpg with all setting on the not working client > > http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj > > I think it is properly, cause it work during eap (peap), am I wrong? > Bartosz. > > > > On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik wrote: > >> > I am sorry, I gave you wrong debug, >> > >> > whatever is marked or unmarked on checkbox >> > local connection->authentication->keep in memory information about users >> > for >> > aditional network connection >> > server does not have any new lines in debug, like nothing happend at >> all. >> > >> >> It can't find client certificate. Check certificate store and see if >> certificate is where it is suposed to be. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I know that date may be weird, but it doesnt matter debian-etch:~# date Sat May 14 15:46:10 CEST 2005 windows date may 2005, as well and switch as well, I forgot to check date when I created certificates, but afrer changing date in server and clietn it is not a problem Bartosz. On Thu, May 14, 2009 at 3:45 PM, Bartosz Chodzinski wrote: > ok full information: > jpg with all setting on the not working client > > http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj > > I think it is properly, cause it work during eap (peap), am I wrong? > Bartosz. > > > > On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik wrote: > >> > I am sorry, I gave you wrong debug, >> > >> > whatever is marked or unmarked on checkbox >> > local connection->authentication->keep in memory information about users >> > for >> > aditional network connection >> > server does not have any new lines in debug, like nothing happend at >> all. >> > >> >> It can't find client certificate. Check certificate store and see if >> certificate is where it is suposed to be. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
ok full information: jpg with all setting on the not working client http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj I think it is properly, cause it work during eap (peap), am I wrong? Bartosz. On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik wrote: > > I am sorry, I gave you wrong debug, > > > > whatever is marked or unmarked on checkbox > > local connection->authentication->keep in memory information about users > > for > > aditional network connection > > server does not have any new lines in debug, like nothing happend at all. > > > > It can't find client certificate. Check certificate store and see if > certificate is where it is suposed to be. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I am sorry, I gave you wrong debug, > > whatever is marked or unmarked on checkbox > local connection->authentication->keep in memory information about users > for > aditional network connection > server does not have any new lines in debug, like nothing happend at all. > It can't find client certificate. Check certificate store and see if certificate is where it is suposed to be. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>>What "doesn't work"? Post the debug. > server: > I dont change in my config file, is the same like in first message, > > client (win xp): > I have local connection->authentication->method->eap(peap)->properties: >validate server cert (marked checkbox), >marked cacert.pem, >secured password eap-mschapv2 - use my windows logon > > it work's properly, but only with correct user/pass in > /etc/freeradius/users > file OK. That's PEAP. > > now I change > local connection->authentication->method->smart card or other > certificate->properities: >validate server cert (marked checkbox), >marked cacert.pem, > local connection->authentication->keep in memory inf about users for > aditional network connection (unmarked checkbox - when marked nothing > happend at all) > > debug > > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, > length=159 > NAS-IP-Address = 192.168.5.206 > NAS-Port = 50046 > NAS-Port-Type = Ethernet > User-Name = "PC-01\\Administrator" > Called-Station-Id = "00-0C-30-81-9B-EE" > Calling-Station-Id = "00-0A-E4-13-1A-02" > Service-Type = Framed-User > Framed-MTU = 1500 > EAP-Message = > 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 > Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 > rlm_eap: Identity does not match User-Name, setting from EAP Identity. The name on the certificate is not the same as that User-Name. Fix that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I am sorry, I gave you wrong debug, whatever is marked or unmarked on checkbox local connection->authentication->keep in memory information about users for aditional network connection server does not have any new lines in debug, like nothing happend at all. On Thu, May 14, 2009 at 2:24 PM, Bartosz Chodzinski wrote: > >>What "doesn't work"? Post the debug. > server: > I dont change in my config file, is the same like in first message, > > client (win xp): > I have local connection->authentication->method->eap(peap)->properties: >validate server cert (marked checkbox), >marked cacert.pem, >secured password eap-mschapv2 - use my windows logon > > it work's properly, but only with correct user/pass in > /etc/freeradius/users file > > now I change > local connection->authentication->method->smart card or other > certificate->properities: >validate server cert (marked checkbox), >marked cacert.pem, > local connection->authentication->keep in memory inf about users for > aditional network connection (unmarked checkbox - when marked nothing > happend at all) > > debug > > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, > length=159 > NAS-IP-Address = 192.168.5.206 > NAS-Port = 50046 > NAS-Port-Type = Ethernet > User-Name = "PC-01\\Administrator" > Called-Station-Id = "00-0C-30-81-9B-EE" > Calling-Station-Id = "00-0A-E4-13-1A-02" > Service-Type = Framed-User > Framed-MTU = 1500 > EAP-Message = > 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 > Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 > rlm_eap: Identity does not match User-Name, setting from EAP Identity. > Sending Access-Reject of id 37 to 192.168.5.206 port 1812 > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>What "doesn't work"? Post the debug. server: I dont change in my config file, is the same like in first message, client (win xp): I have local connection->authentication->method->eap(peap)->properties: validate server cert (marked checkbox), marked cacert.pem, secured password eap-mschapv2 - use my windows logon it work's properly, but only with correct user/pass in /etc/freeradius/users file now I change local connection->authentication->method->smart card or other certificate->properities: validate server cert (marked checkbox), marked cacert.pem, local connection->authentication->keep in memory inf about users for aditional network connection (unmarked checkbox - when marked nothing happend at all) debug Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206:1812, id=37, length=159 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "PC-01\\Administrator" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 Message-Authenticator = 0x2430d7c8a84cc54874addee9104cf076 rlm_eap: Identity does not match User-Name, setting from EAP Identity. Sending Access-Reject of id 37 to 192.168.5.206 port 1812 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>>2.0.4 should be available for Debian. > I know, 2.0.4 freeradius is available for debian lenny but not etch > unfortunately. > http://packages.debian.org/search?keywords=freeradius >>2. Use EAP-TLS to connect (Smart card or certificate in Windows speak). > Could you write me where in config put that? There is nothing to configure on the server - it works in default configuration with default ca and server certificates and clients certificates made following instructions in raddb/certs/README (2.0.4 - on 1.1.3 you have to generate certificates yourself). > I tried described below but > it > doesnt work What "doesn't work"? Post the debug. > and I set up on xp: > local connection->properites->authentication->smart card or certificate, > and > I chose my cacert.pem You should import .der version for Windows. And .p12 for client certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
>2.0.4 should be available for Debian.
I know, 2.0.4 freeradius is available for debian lenny but not etch
unfortunately.
>2. Use EAP-TLS to connect (Smart card or certificate in Windows speak).
Could you write me where in config put that? I tried described below but it
doesnt work
eap.conf:
eap {
default_eap_type = tls
}
and I set up on xp:
local connection->properites->authentication->smart card or certificate, and
I chose my cacert.pem
how to configure it that way?
thank you for rapid answer.
Bartosz.
On Thu, May 14, 2009 at 12:54 PM, Ivan Kalik wrote:
> > I have freeradius with eap support on debian etch, radius v1.1.3
>
> 2.0.4 should be available for Debian. Upgrade. Vista doesn't work with
> 1.1.3. And you will have problems with XP SP3.
>
> > "everthing" working fine but I'd like to have much more simple
> > configuration
> > only by certificate and nothing more,
> > so I have few question:
> >
> > 1.
> > fragment of my log first, before question
> > Listening on authentication *:1812
> > Listening on accounting *:1813
> > Ready to process requests.
> > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182,
> > length=159
> > NAS-IP-Address = 192.168.5.206
> > NAS-Port = 50046
> > NAS-Port-Type = Ethernet
> > User-Name = "PC-01\\Administrator"
> > Called-Station-Id = "00-0C-30-81-9B-EE"
> > Calling-Station-Id = "00-0A-E4-13-1A-02"
> > Service-Type = Framed-User
> > Framed-MTU = 1500
> > EAP-Message =
> > 0x021b014e4c504c2d4943455c41646d696e6973747261746f72
> > Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d
> > Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 0
> > modcall[authorize]: module "preprocess" returns ok for request 0
> > modcall[authorize]: module "mschap" returns noop for request 0
> > rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up
> > realm
> > NULL
> > rlm_realm: No such realm "NULL"
> > modcall[authorize]: module "suffix" returns noop for request 0
> >
> > my users file contain:
> > "PC-01\\Administrator" User-Password == "passwd"
> >
> > how can I avoid this value PC-01 ?, its really annoying, I would like to
> > have only real user, PC-01 is "my computer -> properties -> computer name
> > ->
> > full computer name". I would like to have only username (with no matter
> of
> > case sensitive).
>
> 1. Don't use windows logon name. Untick that when you are making the
> connection.
>
> 2. You can't strip username in EAP. Use ntdomain. It's listed but
> commented out in default configuration.
>
> > sth like
> > "administrator" User-Password == "passwd"
> >
>
> For that to work add domain bit as local realm to proxy.conf.
>
> > 2.
> > I would like to use only certificate to check wheter or not some computer
> > should have network connection,
> > I dont care about login or password,
> > if client has a valid cacert.pem installed on pc (windows xp) it should
> > grant acces to network, is it possible to do that?
>
> Use EAP-TLS to connect (Smart card or certificate in Windows speak).
>
> > 3.
> > when I read log from freeradius -X I see that one pc need to have
> > 7requests
> > in freeradius and in 8-th request is accepted, is it ok?
> >
>
> Yes.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
> I have freeradius with eap support on debian etch, radius v1.1.3 2.0.4 should be available for Debian. Upgrade. Vista doesn't work with 1.1.3. And you will have problems with XP SP3. > "everthing" working fine but I'd like to have much more simple > configuration > only by certificate and nothing more, > so I have few question: > > 1. > fragment of my log first, before question > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.5.206:1812, id=182, > length=159 > NAS-IP-Address = 192.168.5.206 > NAS-Port = 50046 > NAS-Port-Type = Ethernet > User-Name = "PC-01\\Administrator" > Called-Station-Id = "00-0C-30-81-9B-EE" > Calling-Station-Id = "00-0A-E4-13-1A-02" > Service-Type = Framed-User > Framed-MTU = 1500 > EAP-Message = > 0x021b014e4c504c2d4943455c41646d696e6973747261746f72 > Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up > realm > NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > > my users file contain: > "PC-01\\Administrator" User-Password == "passwd" > > how can I avoid this value PC-01 ?, its really annoying, I would like to > have only real user, PC-01 is "my computer -> properties -> computer name > -> > full computer name". I would like to have only username (with no matter of > case sensitive). 1. Don't use windows logon name. Untick that when you are making the connection. 2. You can't strip username in EAP. Use ntdomain. It's listed but commented out in default configuration. > sth like > "administrator" User-Password == "passwd" > For that to work add domain bit as local realm to proxy.conf. > 2. > I would like to use only certificate to check wheter or not some computer > should have network connection, > I dont care about login or password, > if client has a valid cacert.pem installed on pc (windows xp) it should > grant acces to network, is it possible to do that? Use EAP-TLS to connect (Smart card or certificate in Windows speak). > 3. > when I read log from freeradius -X I see that one pc need to have > 7requests > in freeradius and in 8-th request is accepted, is it ok? > Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
