EAP TLS login fails after creation of new certs
Hi,
I’m running a FreeRadius 1.0.1 Server on Suse
Linux v9.1 with EAP-TLS for Authentication.
I have previousliy used the CA.all Script to
generate the necessary Certificates for test purpose.
Now I tried to write a script for creating the Certs
myself – without obvious problems.
But after I installed the Certs on the Radius Server
and the Windows XP Client, the Client doesn’t
Login anymore.
Can anyone tell me what I’ve done wrong with
the Certs?!
Big THX to you all.
Pass=XXX #Pass for PrivKey
openssl genrsa -out ./root.key -passout pass:${Pass}
1024
openssl req -new -key ./root.key -passin
pass:${Pass} -passout pass:${Pass} -out ./root.req
openssl x509 -req -days 365 -in ./root.req -signkey
./root.key -out ./root.cert -passin pass:${Pass}
openssl pkcs12 -export -cacerts -in ./root.cert
-passin pass:${Pass} -passout pass:${Pass} -inkey ./root.key -out ./root.p12
openssl pkcs12 -in ./root.p12 -out ./root.pem
-passin pass:${Pass} -passout pass:${Pass}
openssl x509 -inform PEM -outform DER -in ./root.pem
-out ./root.der
Pass=XXX #Pass for PrivKey
openssl genrsa -out ./server.key -passout
pass:${Pass} 1024
openssl req -new -key ./server.key -passin
pass:${Pass} -passout pass:${Pass} -out ./server.req
openssl x509 -req -days 365 -CA ./../Root/root.cert
-CAkey ./../Root/root.key -CAcreateserial -in ./server.req -out ./server.cert
-passin pass:${Pass}
openssl pkcs12 -export -in ./server.cert -passin
pass:${Pass} -passout pass:${Pass} -inkey ./server.key -out ./server.p12
openssl pkcs12 -in ./server.p12 -out ./server.pem
-passin pass:${Pass} -passout pass:${Pass}
openssl x509 -inform PEM -outform DER -in
./server.pem -out ./server.der
Pass=XXX #Pass for PrivKey
openssl genrsa -out ./client.key -passout
pass:${Pass} 1024
openssl req -new -key ./client.key -passin
pass:${Pass} -passout pass:${Pass} -out ./client.req
openssl x509 -req -days 365 -CA ./../Root/root.cert
-CAkey ./../Root/root.key -CAcreateserial -in ./client.req -out ./client.cert
-passin pass:${Pass}
openssl pkcs12 -export -in ./client.cert -passin
pass:${Pass} -passout pass:${Pass} -inkey ./client.key -out ./client.p12
openssl pkcs12 -in ./client.p12 -out ./client.pem
-passin pass:${Pass} -passout pass:${Pass}
openssl x509 -inform PEM -outform DER -in
./client.pem -out ./client.der
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
On Mon, 18 Oct 2004 10:50 +1000, Mitchell, Michael wrote: > > Just a thought - if it was a problem with Solaris/the server, then > wouldn't your radtest test fail also? Only the radtest/radclient from the failing freeradius/Solaris installation is working. Using this radclient with a working freeradius fails too. It looks like radclient doesn't encrypt the password. With snoop I can see the password in clear! I guess on the radiusd it's the same problem. For requests from a working radclient, pair->flags.encrypt in rad_decode is always 0. As Ahmad already wrote, we are using identical configuration files on both Linux/IA32 and Solaris/Sparc. Only the Linux-version is working. Regards, Klaus -- Klaus Kastens NetUSE AG Dr.-Hell-Straße 6, D-24107 Kiel, Germany Fon: +49 431 2390 400 (07:00 GMT - 15:00 GMT) Fax: +49 431 2390 499 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Somebody have develop some NAS ?
hi all, I have to simulate a NAS on Linux, radius client is in NAS, but i think it's different from the radclient of freeradius, this client should be able to listen port to forward some packet, and able to cooperate with WEB AA server(this may include some other private protocol) . Is there any code i can use directly? Thanks. Regards. Yyc And the vision that was planted in my brain. Still remains with the Sound of Silence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another PEAP-MSCHAP problem
I have configured freeradius from scratch using the 802.1x HOWTO by Lars Strand but I must have (not) done something. I have been looking over it for two days and can't find where the problem lies. When I try to authenticate it goes through TLS OK but when it comes time to check the password it fails. I have seen some other posts that have MS-CHAP-Challenge and Response attributes in Access-Request packet mine do not. Is this an indication of the problem? I am using the users file with no auth-type specified and it works with radtest. I have had TLS working with Freeradius, and PEAP-MSCHAP working with Cisco-ACS using the same client (with XP supplicant). I am using a Cisco Aironet 1220 with 12.2(15). Some debug info follows... Thanks, Peter Here is the point where it first fails... === modcall: entering group Auth-Type for request 5 rlm_mschap: Told to do MS-CHAPv2 for 180694p with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: group Auth-Type returns reject for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. Login incorrect: [180694p/] (from client localhost p ort 0) === After this it sends a reject back and forth. Here is the complete request 5... rad_recv: Access-Request packet from host 10.1.1.1:21661, id=208, length=229 User-Name = "180694p" Framed-MTU = 1400 Called-Station-Id = "0007.50d5.a8b3" Calling-Station-Id = "0009.b71a.bc0f" Service-Type = Login-User Message-Authenticator = 0x494b12739d3cda78d9f90a0ab060e2e2 EAP-Message = 0x020700591900170301004ee71b282fe2b35f5f262bda4d952f7bc9d6 12ae8bb63a6e386988020cfe3aa9c8a93566d51a69ac2f5d0c7215693b666b4bf1c1ae816aa7 d727 aa3a4bc68d489064a7d2428e7b9ec0c9a5cbf06dd4 NAS-Port-Type = Wireless-802.11 NAS-Port = 5348 State = 0x92fbee2504f996f3a3a0d9d139ee6ee2 NAS-IP-Address = 10.1.1.1 NAS-Identifier = "B309-AP-1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "180694p", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched 180694p at 97 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "180694p", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched 180694p at 97 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020700421a0207003d312b2ce7e14a8632c3672347d13e03c442 b31975c0f2eaa9570a2e45feb59e8a678a761139a3cd4a9b0031383036393470 PEAP: Setting User-Name to 180694p PEAP: Adding old state with 30 94 PEAP: Sending tunneled request EAP-Message = 0x020700421a0207003d312b2ce7e14a8632c3672347d13e03c442 b31975c0f2eaa9570a2e45feb59e8a678a761139a3cd4a9b0031383036393470 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "180694p" State = 0x3094792a04ed7cef16c2ddac7b1981cb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[
FW: Installing freeRadius on RH Linux 9.0
I did post the errors. Below is the message I sent on 10/15/2004. It's a non-issue now, because I found out what the problem was. Two extremely helpful members of the Linux community contacted me off-list and we compared their Linux installations with mine and found I was missing the mysql-devel package. Once installed it went great. I now have not one but two functional freeRADIUS boxes. Just so everyone knows, I am a MS MCSE and this is a major departure from what I've spent the last 20 years using. I'm not just running Linux on the server side. It's on every box in our office. I'm not saying I'm abandoning Windows. This particular solution called for something a little more secure, less prone to virus attacks and a heck of a lot cheaper. My total software cost for this WISP is $3000.00 which is for the billing software and its options. Considering I'm used to a point and click world, I don't think I'm doing too bad. Thanks Paul and Bruce, Gene > -Original Message- > From: Gene Rouse [mailto:[EMAIL PROTECTED] > Sent: Friday, October 15, 2004 3:32 PM > To: '[EMAIL PROTECTED]' > Subject: Installing freeRadius on RH Linux 9.0 > > Below I have included the error messages. I get. > > gmake[11]: Entering directory `/root/freeradius- > 1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' > [ "xrlm_sql_mysql" = "x" ] || /root/freeradius-1.0.1/libtool -- > mode=install /root/freeradius-1.0.1/install-sh -c -c rlm_sql_mysql.la > /usr/local/lib/rlm_sql_mysql.la > libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive > Try `libtool --help --mode=install' for more information. > gmake[11]: *** [install] Error 1 > gmake[11]: Leaving directory `/root/freeradius- > 1.0.1/src/modules/rlm_sql/drivers/rlm_sql_mysql' > gmake[10]: *** [common] Error 1 > gmake[10]: Leaving directory `/root/freeradius- > 1.0.1/src/modules/rlm_sql/drivers' > gmake[9]: *** [install] Error 2 > gmake[9]: Leaving directory `/root/freeradius- > 1.0.1/src/modules/rlm_sql/drivers' > gmake[8]: *** [common] Error 1 > gmake[8]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql' > gmake[7]: *** [install-drivers] Error 2 > gmake[7]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql' > gmake[6]: *** [install] Error 2 > gmake[6]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_sql' > gmake[5]: *** [common] Error 1 > gmake[5]: Leaving directory `/root/freeradius-1.0.1/src/modules' > gmake[4]: *** [install] Error 2 > gmake[4]: Leaving directory `/root/freeradius-1.0.1/src/modules' > gmake[3]: *** [common] Error 1 > gmake[3]: Leaving directory `/root/freeradius-1.0.1/src' > gmake[2]: *** [install] Error 2 > gmake[2]: Leaving directory `/root/freeradius-1.0.1/src' > gmake[1]: *** [common] Error 1 > gmake[1]: Leaving directory `/root/freeradius-1.0.1' > make: *** [install] Error 2 > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:freeradius- > > [EMAIL PROTECTED] On Behalf Of Gene Rouse > > Sent: Thursday, October 14, 2004 10:49 PM > > To: [EMAIL PROTECTED] > > Subject: Installing freeRadius on RH Linux 9.0 > > > > When I run make on freeRADIUS 1.0.1 I get all kinds of missing attribute > > warnings. The make program eventually finishes with a list of > directories > > listed as 'leaving'. I followed the install instructions, but now I'm > > stumped. As you have already guessed I am new to freeRADIUS. My > partner > > and I have started a WISP and want to control users by their MAC > address. > > In addition our billing software (Optigold ISP) can export client > account > > information to radius. I really want to use freeRADIUS rather than pay > > several thousand dollars for a 'boxed' product. If I have to spend any > > money I would rather pay an individual to help me make this project a > > success. > > > > Thanks in advance. > > Gene Rouse > > Wireless Cyberspace, LLC > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication erros on freeradius 1.0.1 on Solaris 9
I'm on Solaris 9, and I haven't had any problems (touch wood), but I haven't tried it with a real NAS yet either - only test clients (radclient/radtest, NTRadPing on XP, Perl and Python). Just a thought - if it was a problem with Solaris/the server, then wouldn't your radtest test fail also? Have you tried using the same shared secret for localhost and the Cisco? Have you tried a different client on another platform, like NTRadPing for example? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Ahmad Cheikh-Moussa > Sent: Monday, 18 October 2004 6:10 AM > To: [EMAIL PROTECTED] > Subject: Re: Authentication erros on freeradius 1.0.1 on Solaris 9 > > Hi! > > > > If the User-Password is decrypted to be garbage, then either the > > shared secret is wrong, or there's a bug in the servers MD5 > routines. > > > > Try it on another platform, like x86. > freeradius on SuSe 9.1 functions properly. > Is it a Solaris Problem ? > Is there a patch for ? > > Regards, > Ahmad > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Installing freeRadius on RH Linux 9.0
I was missing the mysql-devel package. Once I installed it freeradius installed successfully. Gene > -Original Message- > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of Gene Rouse > Sent: Sunday, October 17, 2004 12:15 AM > To: [EMAIL PROTECTED] > Subject: RE: Installing freeRadius on RH Linux 9.0 > > Because I wanted to know if someone might have a clue as to why it failed. > It must be easier to criticize someone than to offer any helpful > suggestions. If I didn't want to learn by doing, I would simply buy > NavisRadius which I have used in the past in corporate solutions. You can > have a RADIUS box online in half an hour serving clients. I have a real > interest in Linux. There's one major advantage Windows has over Linux. > Ease of install, no cryptic crap. > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:freeradius- > > [EMAIL PROTECTED] On Behalf Of Alan DeKok > > Sent: Saturday, October 16, 2004 12:45 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Installing freeRadius on RH Linux 9.0 > > > > "Gene Rouse" <[EMAIL PROTECTED]> wrote: > > > > Did the "make" process succeeed? > > > > > > No. > > > > Then why the heck are you trying to install somehing that didn't > build? > > > > Why are you wasting peoples time (and yours) by asking questions > > about a broken "make install", when the "make" didn't work? > > > > Alan DeKok. > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication erros on freeradius 1.0.1 on Solaris 9
Hi! > If the User-Password is decrypted to be garbage, then either the > shared secret is wrong, or there's a bug in the servers MD5 routines. > > Try it on another platform, like x86. freeradius on SuSe 9.1 functions properly. Is it a Solaris Problem ? Is there a patch for ? Regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Training users to append @realm
Omniflux <[EMAIL PROTECTED]> wrote: > I was thinking of redirecting all successfully authenticated users > without a or the proper realm to a webpage stating something like: ... If your NAS supports it, sure. The problem is that many NASes dont. > Does anyone know if I can force this redirection on a TNT MAX, or have > suggestions on how else to do it? Give them an IP on an internal network, with a router which forwards all web traffic to one web server, which contains a generic page saying "add @realm". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing freeRadius on RH Linux 9.0
"Gene Rouse" <[EMAIL PROTECTED]> top-posted: > > Why are you wasting peoples time (and yours) by asking questions > > about a broken "make install", when the "make" didn't work? > > Because I wanted to know if someone might have a clue as to why it failed. The second thing failed because it depended on the first thing, which also failed. > It must be easier to criticize someone than to offer any helpful > suggestions. I notice that you're complaining because I pointed out you're resisting getting a solution to your problem. You also haven't posted the error from the "make" process, which leads me to believe you don't want to solve your problem. Can you please explain to me why you're dead-set against posting information on this list which will help someone solve your problem? > If I didn't want to learn by doing, I would simply buy NavisRadius > which I have used in the past in corporate solutions. You can have > a RADIUS box online in half an hour serving clients. I have a real > interest in Linux. There's one major advantage Windows has over > Linux. Ease of install, no cryptic crap. And no requirment to think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
