Re: Re: Re: EAP/TLS Setup problem
Hi,
I have almost managed to install the EAP/TLS authentication with my AP DWL
AP 1000 + but I have still a problem
in my freeRadius configuration.
I got the following error message :
" ...Error : rlm_eap_tls : conf N ctx stored ..."
What does it means ?
Thanks a lot for your help
Best regards
Jean-Guillaume
ps: I joined in attachment my server logs.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/wifiradius.pem"
tls: certificate_file = "/etc/1x/wifiradius.pem"
tls: CA_file = "/etc/1x/root.pem"
tls: private_key_password = "adminwifi"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap_tls: conf N ctx stored
rlm_eap: Loaded and initialized the type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radut
Re: Re: Re: EAP/TLS Setup problem
Hi Jeson, Thanks for your help. I finally found the problem. It was because I use the same name for the client and the server, and that names were not correct on the local network (I forgot to add the domain). You have to use names that are in the DNS... Jean-Guillaume - Original Message - From: "王志欣" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 12:00 AM Subject: Re: Re: Re: EAP/TLS Setup problem Hi Jean-Guillaume, Sorry for delay. I look through your script. Only difference between us is I only use OpenSSL-0.9.7b. Please create Root certificate first, and then server and client certificate. Let's test it again. Jeson [EMAIL PROTECTED] 2003-06-23 >Hi Jason, > >I forgot to say that I am on a freeBSD box. >I put in attachment the install programs, I used. >In addition I give you the logs (when doing ./CA.clt , the ./CA.root >and >./CA.svr were OK) : > > > > >X509v3 extensions: >X509v3 Extended Key Usage: >TLS Web Client Authentication >Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) >Sign the certificate? [y/n]:y >failed to update database >TXT_DB error number 2 >No certificate matches private key >1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too >long:asn1_lib.c:138:unable to load certificate >1229:error:0906D06C:PEM routines:PEM_read_bio:no start >line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE > > >Thanks a lot for your help. > >Best Regards > >Jean-Guillaume > > > >- Original Message ----- >From: "王志欣" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Friday, June 20, 2003 3:22 AM >Subject: Re: Re: EAP/TLS Setup problem > > >Hi Jean-Guillaume, > >I also follow this guide. I succeed. Please post your log information. > > > Jeson >[EMAIL PROTECTED] > 2003-06-20 > >>Hi Umesh, >> >>I am trying to install a freeradius/EAP-TLS athentification for my wireless >>network (DWL 1000 AP +) by following the instructions at >>http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >>I don't manage to create correctly the certificate ... >>(I use openssl-0.9.7b) >>How do you manage to do it ? >> >>Thanks a lot for your help, >> >>Best regards, >> >>Jean-Guillaume >> >> >>- Original Message - >>From: "Umesh" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Sent: Tuesday, June 10, 2003 8:54 AM >>Subject: EAP/TLS Setup problem >> >> >>> Hi All, >>> >>> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >>have >>> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the >instructions >>at >>> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >>> >>> radiusd -x -A, an error occurs - Unknown value "EAP". >>> (I have set Auth-Type=EAP in /etc/raddb/users) >>> Any help would be appreciated. >>> >>> Regards, >>> Umesh >>> >>> - >>> List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> >>- >>List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > > > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: EAP/TLS Setup problem
Hi Jean-Guillaume, Sorry for delay. I look through your script. Only difference between us is I only use OpenSSL-0.9.7b. Please create Root certificate first, and then server and client certificate. Let's test it again. Jeson [EMAIL PROTECTED] 2003-06-23 >Hi Jason, > >I forgot to say that I am on a freeBSD box. >I put in attachment the install programs, I used. >In addition I give you the logs (when doing ./CA.clt , the ./CA.root >and >./CA.svr were OK) : > > > > >X509v3 extensions: >X509v3 Extended Key Usage: >TLS Web Client Authentication >Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) >Sign the certificate? [y/n]:y >failed to update database >TXT_DB error number 2 >No certificate matches private key >1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too >long:asn1_lib.c:138:unable to load certificate >1229:error:0906D06C:PEM routines:PEM_read_bio:no start >line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE > > >Thanks a lot for your help. > >Best Regards > >Jean-Guillaume > > > >- Original Message - >From: "王志欣" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Friday, June 20, 2003 3:22 AM >Subject: Re: Re: EAP/TLS Setup problem > > >Hi Jean-Guillaume, > >I also follow this guide. I succeed. Please post your log information. > > > Jeson >[EMAIL PROTECTED] > 2003-06-20 > >>Hi Umesh, >> >>I am trying to install a freeradius/EAP-TLS athentification for my wireless >>network (DWL 1000 AP +) by following the instructions at >>http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >>I don't manage to create correctly the certificate ... >>(I use openssl-0.9.7b) >>How do you manage to do it ? >> >>Thanks a lot for your help, >> >>Best regards, >> >>Jean-Guillaume >> >> >>- Original Message - >>From: "Umesh" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Sent: Tuesday, June 10, 2003 8:54 AM >>Subject: EAP/TLS Setup problem >> >> >>> Hi All, >>> >>> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >>have >>> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the >instructions >>at >>> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >>> >>> radiusd -x -A, an error occurs - Unknown value "EAP". >>> (I have set Auth-Type=EAP in /etc/raddb/users) >>> Any help would be appreciated. >>> >>> Regards, >>> Umesh >>> >>> - >>> List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> >>- >>List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > > > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: EAP/TLS Setup problem
Hi Jason, I forgot to say that I am on a freeBSD box. I put in attachment the install programs, I used. In addition I give you the logs (when doing ./CA.clt , the ./CA.root and ./CA.svr were OK) : X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 19 07:46:03 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 No certificate matches private key 1228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:138:unable to load certificate 1229:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE Thanks a lot for your help. Best Regards Jean-Guillaume - Original Message - From: "王志欣" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 3:22 AM Subject: Re: Re: EAP/TLS Setup problem Hi Jean-Guillaume, I also follow this guide. I succeed. Please post your log information. Jeson [EMAIL PROTECTED] 2003-06-20 >Hi Umesh, > >I am trying to install a freeradius/EAP-TLS athentification for my wireless >network (DWL 1000 AP +) by following the instructions at >http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >I don't manage to create correctly the certificate ... >(I use openssl-0.9.7b) >How do you manage to do it ? > >Thanks a lot for your help, > >Best regards, > >Jean-Guillaume > > >- Original Message - >From: "Umesh" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, June 10, 2003 8:54 AM >Subject: EAP/TLS Setup problem > > >> Hi All, >> >> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >have >> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the instructions >at >> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >> >> radiusd -x -A, an error occurs - Unknown value "EAP". >> (I have set Auth-Type=EAP in /etc/raddb/users) >> Any help would be appreciated. >> >> Regards, >> Umesh >> >> - >> List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CA.clt Description: Binary data CA.root Description: Binary data CA.svr Description: Binary data installfreeradius Description: Binary data openssl Description: Binary data openssl.cnf Description: Binary data random Description: Binary data xpextensions Description: Binary data
Re: Re: EAP/TLS Setup problem
Hi Jean-Guillaume, I also follow this guide. I succeed. Please post your log information. Jeson [EMAIL PROTECTED] 2003-06-20 >Hi Umesh, > >I am trying to install a freeradius/EAP-TLS athentification for my wireless >network (DWL 1000 AP +) by following the instructions at >http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but >I don't manage to create correctly the certificate ... >(I use openssl-0.9.7b) >How do you manage to do it ? > >Thanks a lot for your help, > >Best regards, > >Jean-Guillaume > > >- Original Message - >From: "Umesh" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, June 10, 2003 8:54 AM >Subject: EAP/TLS Setup problem > > >> Hi All, >> >> I am new to FreeRadius. I am trying to setup EAP/TLS authentication. I >have >> installed OpenSSL-0.9.7b and FreeRadius 0.8.1. I followed the instructions >at >> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but when I run >> >> radiusd -x -A, an error occurs - Unknown value "EAP". >> (I have set Auth-Type=EAP in /etc/raddb/users) >> Any help would be appreciated. >> >> Regards, >> Umesh >> >> - >> List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
