Re: Re: Re: EAP/TLS Setup problem
Hi, I have almost managed to install the EAP/TLS authentication with my AP DWL AP 1000 + but I have still a problem in my freeRadius configuration. I got the following error message : " ...Error : rlm_eap_tls : conf N ctx stored ..." What does it means ? Thanks a lot for your help Best regards Jean-Guillaume ps: I joined in attachment my server logs. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/wifiradius.pem" tls: certificate_file = "/etc/1x/wifiradius.pem" tls: CA_file = "/etc/1x/root.pem" tls: private_key_password = "adminwifi" tls: dh_file = "/etc/1x/DH" tls: random_file = "/etc/1x/random" tls: fragment_size = 1024 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radut
Re: Re: Re: EAP/TLS Setup problem
Hi Jeson, Thanks for your help. I finally found the problem. It was because I use the same name for the client and the server, and that names were not correct on the local network (I forgot to add the domain). You have to use names that are in the DNS... Jean-Guillaume - Original Message - From: "王志欣" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 12:00 AM Subject: Re: Re: Re: EAP/TLS Setup problem Hi Jean-Guillaume, Sorry for delay. I look through your script. Only difference between us is I only use OpenSSL-0.9.7b. Please create Root certificate first, and then server and client certificate. Let's test it again. Jeson [EMAIL PROTECTED] 2003-06-23 >Hi Jason, > >I forgot to say that I am on a freeBSD box. >I put in attachment the install programs, I used. >In addition I give you the logs (when doing ./CA.clt , the ./CA.root >and >./CA.svr were OK) : > > > > >X509v3 extensions: >X509v3 Extended Key Usage: >TLS Web Client Authentication >Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) >Sign the certificate? [y/n]:y >failed to update database >TXT_DB error number 2 >No certificate matches private key >1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too >long:asn1_lib.c:138:unable to load certificate >1229:error:0906D06C:PEM routines:PEM_read_bio:no start >line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE > > >Thanks a lot for your help. > >Best Regards > >Jean-Guillaume > > > >- Original Message ----- >From: "王志欣" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Friday, June 20, 2003 3:22 AM >Subject: Re: Re: EAP/TLS Setup problem > > >Hi Jean-Guillaume, > >I also follow this guide. I succeed. Please post your log information. > > > Jeson >[EMAIL PROTECTED] > 2003-06-20 > >>Hi Umesh, >> >>I am trying to install a freeradius/EAP-TLS athentification for my wireless >>network (DWL 1000 AP +) by following the instructions at >>http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >>I don't manage to create correctly the certificate ... >>(I use openssl-0.9.7b) >>How do you manage to do it ? >> >>Thanks a lot for your help, >> >>Best regards, >> >>Jean-Guillaume >> >> >>- Original Message - >>From: "Umesh" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Sent: Tuesday, June 10, 2003 8:54 AM >>Subject: EAP/TLS Setup problem >> >> >>> Hi All, >>> >>> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >>have >>> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the >instructions >>at >>> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >>> >>> radiusd -x -A, an error occurs - Unknown value "EAP". >>> (I have set Auth-Type=EAP in /etc/raddb/users) >>> Any help would be appreciated. >>> >>> Regards, >>> Umesh >>> >>> - >>> List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> >>- >>List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > > > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: EAP/TLS Setup problem
Hi Jean-Guillaume, Sorry for delay. I look through your script. Only difference between us is I only use OpenSSL-0.9.7b. Please create Root certificate first, and then server and client certificate. Let's test it again. Jeson [EMAIL PROTECTED] 2003-06-23 >Hi Jason, > >I forgot to say that I am on a freeBSD box. >I put in attachment the install programs, I used. >In addition I give you the logs (when doing ./CA.clt , the ./CA.root >and >./CA.svr were OK) : > > > > >X509v3 extensions: >X509v3 Extended Key Usage: >TLS Web Client Authentication >Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) >Sign the certificate? [y/n]:y >failed to update database >TXT_DB error number 2 >No certificate matches private key >1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too >long:asn1_lib.c:138:unable to load certificate >1229:error:0906D06C:PEM routines:PEM_read_bio:no start >line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE > > >Thanks a lot for your help. > >Best Regards > >Jean-Guillaume > > > >- Original Message - >From: "王志欣" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Friday, June 20, 2003 3:22 AM >Subject: Re: Re: EAP/TLS Setup problem > > >Hi Jean-Guillaume, > >I also follow this guide. I succeed. Please post your log information. > > > Jeson >[EMAIL PROTECTED] > 2003-06-20 > >>Hi Umesh, >> >>I am trying to install a freeradius/EAP-TLS athentification for my wireless >>network (DWL 1000 AP +) by following the instructions at >>http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >>I don't manage to create correctly the certificate ... >>(I use openssl-0.9.7b) >>How do you manage to do it ? >> >>Thanks a lot for your help, >> >>Best regards, >> >>Jean-Guillaume >> >> >>- Original Message - >>From: "Umesh" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Sent: Tuesday, June 10, 2003 8:54 AM >>Subject: EAP/TLS Setup problem >> >> >>> Hi All, >>> >>> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >>have >>> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the >instructions >>at >>> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >>> >>> radiusd -x -A, an error occurs - Unknown value "EAP". >>> (I have set Auth-Type=EAP in /etc/raddb/users) >>> Any help would be appreciated. >>> >>> Regards, >>> Umesh >>> >>> - >>> List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> >>- >>List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > > > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: EAP/TLS Setup problem
Hi Jason, I forgot to say that I am on a freeBSD box. I put in attachment the install programs, I used. In addition I give you the logs (when doing ./CA.clt , the ./CA.root and ./CA.svr were OK) : X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 No certificate matches private key 1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:138:unable to load certificate 1229:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE Thanks a lot for your help. Best Regards Jean-Guillaume - Original Message - From: "王志欣" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 3:22 AM Subject: Re: Re: EAP/TLS Setup problem Hi Jean-Guillaume, I also follow this guide. I succeed. Please post your log information. Jeson [EMAIL PROTECTED] 2003-06-20 >Hi Umesh, > >I am trying to install a freeradius/EAP-TLS athentification for my wireless >network (DWL 1000 AP +) by following the instructions at >http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >I don't manage to create correctly the certificate ... >(I use openssl-0.9.7b) >How do you manage to do it ? > >Thanks a lot for your help, > >Best regards, > >Jean-Guillaume > > >- Original Message - >From: "Umesh" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, June 10, 2003 8:54 AM >Subject: EAP/TLS Setup problem > > >> Hi All, >> >> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >have >> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the instructions >at >> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >> >> radiusd -x -A, an error occurs - Unknown value "EAP". >> (I have set Auth-Type=EAP in /etc/raddb/users) >> Any help would be appreciated. >> >> Regards, >> Umesh >> >> - >> List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CA.clt Description: Binary data CA.root Description: Binary data CA.svr Description: Binary data installfreeradius Description: Binary data openssl Description: Binary data openssl.cnf Description: Binary data random Description: Binary data xpextensions Description: Binary data
Re: Re: EAP/TLS Setup problem
Hi Jean-Guillaume, I also follow this guide. I succeed. Please post your log information. Jeson [EMAIL PROTECTED] 2003-06-20 >Hi Umesh, > >I am trying to install a freeradius/EAP-TLS athentification for my wireless >network (DWL 1000 AP +) by following the instructions at >http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >I don't manage to create correctly the certificate ... >(I use openssl-0.9.7b) >How do you manage to do it ? > >Thanks a lot for your help, > >Best regards, > >Jean-Guillaume > > >- Original Message - >From: "Umesh" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, June 10, 2003 8:54 AM >Subject: EAP/TLS Setup problem > > >> Hi All, >> >> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >have >> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the instructions >at >> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >> >> radiusd -x -A, an error occurs - Unknown value "EAP". >> (I have set Auth-Type=EAP in /etc/raddb/users) >> Any help would be appreciated. >> >> Regards, >> Umesh >> >> - >> List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html