RE: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Hi I made the following change and it worked for me. In Makefile (/usr/local/etc/raddb/certs/), I passed the input files of that of ca rather than server while creating the client certificate. Regards, Gaurav Kansal Velankani Software Private Limited, 43, Electronics City, Phase - 2, Hosur Road, Bangalore - 560100 Phone : +91 80 4037 5300/01 Extn. # 5401 Direct: +91 80 4037 5401 Fax : +91 80 4037 5303 Mobile: +91 98454 22400 [EMAIL PROTECTED] www.velankani.com "Every Customer is a Reference Customer" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 09, 2008 8:58 PM To: FreeRadius users mailing list Subject: Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS Sergio Yébenes Moreno wrote: > I think that PKI that comes with freeradius by default are shit Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use. > (./bootstrap). I had the same problem. If you see the certification > route in firefox, for example, you will see that client certificate are > signed by SERVER CERTIFICATE and this by ca certificate. Which shouldn't be a problem. > Probably you > put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf There is no configuration entry called 'ca_cert'. > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate > --> verify error:num=20:unable to get local issuer certificate > > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca) > > , and should be server.pem, or make your own ca, that signs clients and > servers certificates. The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about "freeradius accepts anybody"
>file autorizados contains this > "user1"Cleartext-Password := "" >Reply-Message = "Autorizando." >Fall-Through = No That's not going to work. You can't make EAP-TLS use passwords. >I had to make this because I'm not the signer of client certificates, >only for server. What are people with certificates that you haven't issued doing on your network? If you are accepting users from another organization, proxy requests to their home server. But if you are to maintain control over who gets access to your network you should tell people to use PEAP and give them usernames/passwords that you will store in autorizados file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: detail records
Hi
> We're using freeradius 2.0.5 in our test environment and noticed that our
> detail record doesn't have "Freeradius-Proxied-To" information like our
> current production radius which is still running an old version of
> freeradius. We currently setup the accounting record to be proxied to a
> remote radius server and running in debug mode showed that the accounting
> record was being sent to remote server but nothing in detail record. Is this
> something I have to specify on a config file?
You can easily add that functionality using unlang:
pre-proxy {
update proxy-request {
Freeradius-Proxied-To := "%{control:Proxy-To-Realm}"
}
detail_local
}
kind regards
Pshem
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
Hey guys, sorry for the delay. Yeah after reading your advices, I agree that I misread. I will use EAP-TTLS with EAP method "PAP" encapsulated in it. Thanks Sergio for the link for Windows users : in my case with an intel wifi card, Intel was kind enough to provide the same kind of utilities. But for the others unknown manufacturer, your tool is really just *fine* :) Thanks again, Joris 2008/7/8 Ivan Kalik <[EMAIL PROTECTED]>: > # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). > > That relates to ldap "bind as user" authentication, not using ldap to > store user information. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 8/7/2008, "joris" <[EMAIL PROTECTED]> piše: > >>Hello, >> >>After reading the configuration file radiusd.conf, it explicitly says >>that one can't use LDAP as the authentication backend when you use EAP >>(in my case, i'm interested in EAP-TTLS). >> >>Nonetheless, I can read elsewhere on the web that some people seem to >>use both EAP and LDAP, so I wonder who is right ? >> >>I would use LDAP for storing all my users/password and EAP to protect >>my users credentials over insecure Wifi. >> >>Any advices ? >> >> >>Cheers, >> >>Joris >>- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
detail records
Hello all, We're using freeradius 2.0.5 in our test environment and noticed that our detail record doesn't have "Freeradius-Proxied-To" information like our current production radius which is still running an old version of freeradius. We currently setup the accounting record to be proxied to a remote radius server and running in debug mode showed that the accounting record was being sent to remote server but nothing in detail record. Is this something I have to specify on a config file? Cheers, Roy Kartadinata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about "freeradius accepts anybody"
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf. Freeradius config: file users contains this . . $INCLUDE autorizados DEFAULTAuth-Type := Reject Reply-Message = "out" .. .. file autorizados contains this "user1"Cleartext-Password := "" Reply-Message = "Autorizando." Fall-Through = No "user2" ... I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Tanks much, will try the options you have pointed to Slava Shkarupin Kiev, UA - Original Message - From: "Matt Garretson" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, July 09, 2008 17:16 Subject: Re: POP3 Alan DeKok wrote: Slava wrote: Could anyone tell me if there exists a solution to integrate FR with a POP3 server Look for patches to let cucipop do RADIUS authentication. If there are none, maybe cucipop does PAM authentication. You could then use the PAM RADIUS module. FWIW, Qpopper also can use PAM, although I haven't tried it myself: http://www.eudora.com/products/unsupported/qpopper/faq.html#PAM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: 09.07.2008 6:50 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply Attribute and Stripping a realm
>I need to force a reply attribute for the slipstream service to all my >customers. >I'm using flatfile, just a basic setup. What would be the best way to do >this? Create a DEFAULT entry in users file. >Also, How do I strip Realms? We get users coming to our RADIUS in this >format [EMAIL PROTECTED] >My flatfile only has username due to the backend system we use. I need to >strip the realm.. Create a local realm in proxy.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply Attribute and Stripping a realm
I have a couple questions. I need to force a reply attribute for the slipstream service to all my customers. I'm using flatfile, just a basic setup. What would be the best way to do this? Also, How do I strip Realms? We get users coming to our RADIUS in this format [EMAIL PROTECTED] My flatfile only has username due to the backend system we use. I need to strip the realm.. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Sergio Yébenes Moreno wrote: > I think that PKI that comes with freeradius by default are shit Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use. > (./bootstrap). I had the same problem. If you see the certification > route in firefox, for example, you will see that client certificate are > signed by SERVER CERTIFICATE and this by ca certificate. Which shouldn't be a problem. > Probably you > put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf There is no configuration entry called 'ca_cert'. > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate > --> verify error:num=20:unable to get local issuer certificate > > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca) > > , and should be server.pem, or make your own ca, that signs clients and > servers certificates. The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Gaurav Kansal escribió:
Hi
I am trying to use EAP-TLS between wpa_supplicant and freeradius. I
created the certificates (ca/server/client) as mentioned in
freeradius-server-2.0.5/raddb/certs/README. In
freeradius-server-2.0.5/raddb/users, following line is added at end:
testuser Cleartext-Password := "password"
On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following
contents:
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/[EMAIL PROTECTED]"
private_key="/usr/local/etc/raddb/certs/client.key"
private_key_passwd="whatever"
}
Executed wpa_supplicant (eapol_test) with following command
(wpa_supplicant side logs are after radius logs at end):
eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1
On executing /usr/local/sbin/radiusd -X, I get following log and error
too:
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0,
length=124
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020d017465737475736572
Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 32770
EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb
Message-Authenticator = 0x
State = 0x26767358261a69809cb3876d58ea
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1,
length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02010006030d
State = 0x26767358261a69809cb3876d58ea
Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 32770
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x2676735827747e1a69809cb3876d58ea
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2,
length=236
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0202006b0d001603010060015c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca77a38aaea1b9788b532d3400390038003500160013000a00330032002f00660005000400630062006100150012000900650064006000140011000800060003020100
State = 0x2676735827747e1a69809cb3876d58ea
Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in Use
Re: POP3
Alan DeKok wrote: > Slava wrote: >> Could anyone tell me if there exists a solution to integrate FR with a >> POP3 server > Look for patches to let cucipop do RADIUS authentication. If there > are none, maybe cucipop does PAM authentication. You could then use the > PAM RADIUS module. FWIW, Qpopper also can use PAM, although I haven't tried it myself: http://www.eudora.com/products/unsupported/qpopper/faq.html#PAM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS
>++[eap] returns handled > > EAP-Message = 0x010300060d20 > > Message-Authenticator = 0x > > State = 0x7382effe7381e2540240fd45d4418b28 > >Finished request 4. > >Going to the next request > >Waking up in 4.9 seconds. > >Cleaning up request 4 ID 1 with timestamp +930 > >Ready to process requests. > > User-Name = "MarsNet_Client" > > NAS-IP-Address = 0.0.0.0 > > Framed-MTU = 1488 > > Called-Station-Id = "00:30:1a:29:03:66" > > Calling-Station-Id = "00:1c:f0:10:56:b8" > > NAS-Port-Type = Wireless-802.11 > > NAS-Identifier = "127.0.0.1" > > Connect-Info = "CONNECT 11Mbps 802.11b" > > EAP-Message = 0x02010013014d6172734e65745f436c69656e74 > > Message-Authenticator = 0xd79261edb8c5b177b0b6334837684449 > >+- entering group authorize > Your client is broken. State attribute from the challenge must be returned in the next request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log inside virtual servers
On Wed, Jul 9, 2008 at 5:03 PM, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Leon Kyneur wrote:
>> I'm trying to configure my virtual servers to have different sql_log
>> queries and having some difficulty specifying the queries within the
>> server { } block
>
> You don't. The modules are defined in the "modules" section of the
> configuration file (raddb/modules)
>
>> redefining sql_log { Start, Stop, Alive etc.. }
>> parameters within each virtual server instance.
>>
>> Is this supported? Or can they only be set on a global basis?
>
> You can create multiple copies of the sql_log module, and use a named
> copy in a virtual server.
>
> sql_log foo {
>... config ..
> }
> sql_log bar {
>... config ...
> }
>
> server one {
> accounting {
>...
>foo
>...
> }
> }
>
> i.e. give them unique names (sql_log foo), and the refer to them in
> the virtual server as "foo", and not "sql_log".
Ah! I knew it would be something so simple. Thanks Alan.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS
Kwok Sianbin escribió: Thanks for the tips. If the certificates are fine then the only problem here is the radius server. XP can not authenticate the client & can't get connected. here the output Ready to process requests. User-Name = "MarsNet_Client" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02020013014d6172734e65745f436c69656e74 Message-Authenticator = 0x00ebc8fcffd2c906e2d36ec4fff17d3a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "MarsNet_Client", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7382effe7381e2540240fd45d4418b28 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 1 with timestamp +930 Ready to process requests. User-Name = "MarsNet_Client" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02010013014d6172734e65745f436c69656e74 Message-Authenticator = 0xd79261edb8c5b177b0b6334837684449 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "MarsNet_Client", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xae557800ae5775e5b09645c04263a306 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +950 Ready to process requests. --- On *Mon, 7/7/08, Ivan Kalik /<[EMAIL PROTECTED]>/* wrote: From: Ivan Kalik <[EMAIL PROTECTED]> Subject: Re: Private key To: "FreeRadius users mailing list" Date: Monday, July 7, 2008, 10:38 PM Why do you care if "Windows does not have enough information to verify this certificate"? Does radius server have any problems with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3253 (20080709) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Have you read last lines of eap.conf? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log inside virtual servers
Leon Kyneur wrote:
> I'm trying to configure my virtual servers to have different sql_log
> queries and having some difficulty specifying the queries within the
> server { } block
You don't. The modules are defined in the "modules" section of the
configuration file (raddb/modules)
> redefining sql_log { Start, Stop, Alive etc.. }
> parameters within each virtual server instance.
>
> Is this supported? Or can they only be set on a global basis?
You can create multiple copies of the sql_log module, and use a named
copy in a virtual server.
sql_log foo {
... config ..
}
sql_log bar {
... config ...
}
server one {
accounting {
...
foo
...
}
}
i.e. give them unique names (sql_log foo), and the refer to them in
the virtual server as "foo", and not "sql_log".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
hi, as Alan stated - your NAS doesnt seem to be getting the responses from your server. some ACL or routing issue? (stick a sniffer directly in front of the switch...if you need to, you may need to have a 'port mirror' or somesuch from the switch that feeds that switch if traffic is on a mgmt VLAN and .1q trunking is involved etc. dont worry about the errors from the ./configure - unless you are using any of those technologies (postgresql, oracle, TNC or IKEv2) - your server is 'normal' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_log inside virtual servers
Hi All,
I'm trying to configure my virtual servers to have different sql_log
queries and having some difficulty specifying the queries within the
server { } block redefining sql_log { Start, Stop, Alive etc.. }
parameters within each virtual server instance.
Is this supported? Or can they only be set on a global basis?
Oh and I'm using 2.0.5.
Thanks
Leon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS
Thanks for the tips. If the certificates are fine then the only problem here is the radius server. XP can not authenticate the client & can't get connected. here the output Ready to process requests. User-Name = "MarsNet_Client" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02020013014d6172734e65745f436c69656e74 Message-Authenticator = 0x00ebc8fcffd2c906e2d36ec4fff17d3a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "MarsNet_Client", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7382effe7381e2540240fd45d4418b28 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 1 with timestamp +930 Ready to process requests. User-Name = "MarsNet_Client" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02010013014d6172734e65745f436c69656e74 Message-Authenticator = 0xd79261edb8c5b177b0b6334837684449 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "MarsNet_Client", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xae557800ae5775e5b09645c04263a306 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +950 Ready to process requests. --- On Mon, 7/7/08, Ivan Kalik <[EMAIL PROTECTED]> wrote: From: Ivan Kalik <[EMAIL PROTECTED]> Subject: Re: Private key To: "FreeRadius users mailing list" Date: Monday, July 7, 2008, 10:38 PM Why do you care if "Windows does not have enough information to verify this certificate"? Does radius server have any problems with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
