Strange password when authenticating via pppoe-server.
Hi!
Now I have a new problem.
When auth via radiusclient, everyting works fine:
radtest steve testing localhost 1813 somesecret
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok
Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec
(rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from
exec (rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop
Sending Access-Accept of id 146 to 127.0.0.1 port 32770
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
I've also tried to auth using this command(and the login is also
successful):
echo User-Name = steve, CHAP-Password = testing | radclient localhost
auth somesecret
But when i've had tried to login from a client (windows xp) station using
the pppoe-server(on the server) the debug output looks like this:
Force PAP(require-pap) on pppoe-server:
Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP
Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password
ŞĂ23ćtn?? 8šľ1RĄ
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject
Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Force CHAP(require-chap) on PPPoE server:
Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP
Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap
(rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with
CHAP password
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password
testing for user steve authentication.
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from
chap (rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject
Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 57 to 127.0.0.1 port 32770
Sat Jul 12 12:13:04 2008 : Debug: Finished request 0.
Sat Jul 12 12:13:04 2008 : Debug: Going to the next request
Sat Jul 12 12:13:04 2008 : Debug: Waking up in 4.9 seconds.
Sat Jul 12 12:13:09 2008 : Debug: Cleaning up request 0 ID 57 with
timestamp +8
Sat Jul 12 12:13:09 2008 : Debug: Ready to process requests.
What's wrong again?
Thanks !
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange password when authenticating via pppoe-server.
Hi!
Now I have a new problem.
When auth via radiusclient, everyting works fine:
radtest steve testing localhost 1813 somesecret
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok
Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec
(rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from
exec (rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop
Sending Access-Accept of id 146 to 127.0.0.1 port 32770
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
I've also tried to auth using this command(and the login is also
successful):
echo User-Name = steve, CHAP-Password = testing | radclient localhost
auth somesecret
But when i've had tried to login from a client (windows xp) station using
the pppoe-server(on the server) the debug output looks like this:
Force PAP(require-pap) on pppoe-server:
Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP
Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password
ŞĂ23ćtn?? 8šľ1RĄ
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject
Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Force CHAP(require-chap) on PPPoE server:
Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP
Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap
(rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with
CHAP password
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password
testing for user steve authentication.
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from
chap (rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject
Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 57 to 127.0.0.1 port 32770
Sat Jul 12 12:13:04 2008 : Debug: Finished request 0.
Sat Jul 12 12:13:04 2008 : Debug: Going to the next request
Sat Jul 12 12:13:04 2008 : Debug: Waking up in 4.9 seconds.
Sat Jul 12 12:13:09 2008 : Debug: Cleaning up request 0 ID 57 with
timestamp +8
Sat Jul 12 12:13:09 2008 : Debug: Ready to process requests.
What's wrong again?
Thanks !
--
Maciej Drobniuch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange password when authenticating via pppoe-server.
Post the whole debug including the request. You have chopped off the
front bit.
Ivan Kalik
Kalik Informatika ISP
Dana 12/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše:
Hi!
Now I have a new problem.
When auth via radiusclient, everyting works fine:
radtest steve testing localhost 1813 somesecret
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated successfully
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok
Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec
(rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from
exec (rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop
Sending Access-Accept of id 146 to 127.0.0.1 port 32770
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
I've also tried to auth using this command(and the login is also
successful):
echo User-Name = steve, CHAP-Password = testing | radclient localhost
auth somesecret
But when i've had tried to login from a client (windows xp) station using
the pppoe-server(on the server) the debug output looks like this:
Force PAP(require-pap) on pppoe-server:
Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP
Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password
Ĺ#65533;Ä#65533;23Ä#65533;tn?? 8ĹĄÄž1RÄ#65533;
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject
Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Force CHAP(require-chap) on PPPoE server:
Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP
Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap
(rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve with
CHAP password
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password
testing for user steve authentication.
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned from
chap (rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject
Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 57 to 127.0.0.1 port 32770
Sat Jul 12 12:13:04 2008 : Debug: Finished request 0.
Sat Jul 12 12:13:04 2008 : Debug: Going to the next request
Sat Jul 12 12:13:04 2008 : Debug: Waking up in 4.9 seconds.
Sat Jul 12 12:13:09 2008 : Debug: Cleaning up request 0 ID 57 with
timestamp +8
Sat Jul 12 12:13:09 2008 : Debug: Ready to process requests.
What's wrong again?
Re: Strange password when authenticating via pppoe-server.
Sat Jul 12 15:53:55 2008 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=59,
length=88
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = steve
User-Password = [EMAIL PROTECTED]
Calling-Station-Id = 00:04:61:5C:14:11
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Sat Jul 12 15:54:03 2008 : Debug: +- entering group authorize
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[preprocess] returns ok
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from
chap (rlm_chap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[chap] returns noop
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[mschap] returns noop
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Sat Jul 12 15:54:03 2008 : Debug: rlm_realm: No '@' in User-Name =
steve, looking up realm NULL
Sat Jul 12 15:54:03 2008 : Debug: rlm_realm: No such realm NULL
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[suffix] returns noop
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: rlm_eap: No EAP-Message, not doing EAP
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[eap] returns noop
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling unix
(rlm_unix) for request 0
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from
unix (rlm_unix) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[unix] returns notfound
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 0
Sat Jul 12 15:54:03 2008 : Debug: users: Matched entry steve at line 76
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[files] returns ok
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling
expiration (rlm_expiration) for request 0
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from
expiration (rlm_expiration) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[expiration] returns noop
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling logintime
(rlm_logintime) for request 0
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from
logintime (rlm_logintime) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[logintime] returns noop
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: calling pap
(rlm_pap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authorize]: returned from pap
(rlm_pap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[pap] returns updated
Sat Jul 12 15:54:03 2008 : Debug: rad_check_password: Found Auth-Type
Sat Jul 12 15:54:03 2008 : Debug: auth: type PAP
Sat Jul 12 15:54:03 2008 : Debug: +- entering group PAP
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: rlm_pap: login attempt with password
[EMAIL PROTECTED]
Sat Jul 12 15:54:03 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 15:54:03 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 15:54:03 2008 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[pap] returns reject
Sat Jul 12 15:54:03 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 15:54:03 2008 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 15:54:03 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 15:54:03 2008 : Debug: +- entering group REJECT
Sat Jul 12 15:54:03 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 15:54:03 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 15:54:03 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 15:54:03 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 15:54:03 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 59 to 127.0.0.1 port 32770
Sat Jul 12 15:54:03 2008 : Debug: Finished request
Re: Strange password when authenticating via pppoe-server.
Now it work's fine!
The password in the radiusclient was misspelled.
SORRY for trouble ;)
On Sat, 12 Jul 2008 12:25:44 +0100, Ivan Kalik [EMAIL PROTECTED] wrote:
Post the whole debug including the request. You have chopped off the
front bit.
Ivan Kalik
Kalik Informatika ISP
Dana 12/7/2008, Maciej Drobniuch [EMAIL PROTECTED] piše:
Hi!
Now I have a new problem.
When auth via radiusclient, everyting works fine:
radtest steve testing localhost 1813 somesecret
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: login attempt with password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:07:31 2008 : Debug: rlm_pap: User authenticated
successfully
Sat Jul 12 12:07:31 2008 : Debug: modsingle[authenticate]: returned
from
pap (rlm_pap) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[pap] returns ok
Sat Jul 12 12:07:31 2008 : Debug: +- entering group post-auth
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: calling exec
(rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: modsingle[post-auth]: returned from
exec (rlm_exec) for request 4
Sat Jul 12 12:07:31 2008 : Debug: ++[exec] returns noop
Sending Access-Accept of id 146 to 127.0.0.1 port 32770
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
I've also tried to auth using this command(and the login is also
successful):
echo User-Name = steve, CHAP-Password = testing | radclient localhost
auth somesecret
But when i've had tried to login from a client (windows xp) station using
the pppoe-server(on the server) the debug output looks like this:
Force PAP(require-pap) on pppoe-server:
Sat Jul 12 12:11:23 2008 : Debug: auth: type PAP
Sat Jul 12 12:11:23 2008 : Debug: +- entering group PAP
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: login attempt with password
Ĺ#65533;Ä#65533;23Ä#65533;tn?? 8ĹĄÄž1RÄ#65533;
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Using clear text password
testing
Sat Jul 12 12:11:23 2008 : Debug: rlm_pap: Passwords don't match
Sat Jul 12 12:11:23 2008 : Debug: modsingle[authenticate]: returned
from
pap (rlm_pap) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[pap] returns reject
Sat Jul 12 12:11:23 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:11:23 2008 : Debug: WARNING: Unprintable characters in
the
password. Double-check the shared secret on the server and the NAS!
Sat Jul 12 12:11:23 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:11:23 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:11:23 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:11:23 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 7
Sat Jul 12 12:11:23 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Force CHAP(require-chap) on PPPoE server:
Sat Jul 12 12:13:04 2008 : Debug: auth: type CHAP
Sat Jul 12 12:13:04 2008 : Debug: +- entering group CHAP
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: calling chap
(rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: login attempt by steve
with
CHAP password
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Using clear text password
testing for user steve authentication.
Sat Jul 12 12:13:04 2008 : Debug: rlm_chap: Password check failed
Sat Jul 12 12:13:04 2008 : Debug: modsingle[authenticate]: returned
from
chap (rlm_chap) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[chap] returns reject
Sat Jul 12 12:13:04 2008 : Debug: auth: Failed to validate the user.
Sat Jul 12 12:13:04 2008 : Debug: Found Post-Auth-Type Reject
Sat Jul 12 12:13:04 2008 : Debug: +- entering group REJECT
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: expand: %{User-Name} - steve
Sat Jul 12 12:13:04 2008 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sat Jul 12 12:13:04 2008 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Sat Jul 12 12:13:04 2008 : Debug: ++[attr_filter.access_reject] returns
updated
Sending Access-Reject of id 57 to 127.0.0.1 port 32770
Sat Jul 12 12:13:04 2008 : Debug: Finished request 0.
Sat Jul 12 12:13:04 2008 : Debug: Going to the next request
Sat Jul 12 12:13:04 2008 : Debug: Waking up
certificate client.* non valid on windows XP
hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate client.* non valid on windows XP
Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : certificate client.* non valid on windows XP
Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : certificate client.* non valid on windows XP
Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Try to install server.cer, not server.p12 into intermediate containeer. open client cert with IE and see certification route. If you can see the 3 level route but client cert isn't ok, check dates. I'm sure this works. - List info/subscribe/unsubscribe? See
Re : Re : certificate client.* non valid on windows XP
Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See
Re : certificate client.* non valid on windows XP
Reveal MAP escribió: Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado
having problems with different eap modules
Hi,
my users file contains this:
YEBENES MORENO, SERGIO (AUTENTICACIÓN)
NOMBRE YEBENES MORENO SERGIO
my sites-enabled/default contains this
authorize {
..
if (User-Name == YEBENES MORENO, SERGIO (AUTENTICACIÓN)) {
DNIe
}
elsif (User-Name == NOMBRE YEBENES MORENO SERGIO) {
FNMT
}
..
}
authenticate {
..
DNIe
FNMT
.
}
my radiusd.conf contains this
..
eap DNIe {}
eap FNMT {}
.
#being separated, working ok
I've deactivated proxy-request also, and commented $INCLUDE proxy.conf.
Sometimes I can authenticate both users but sometimes I have this log
with first user in this case:
rad_recv: Access-Request packet from host 192.168.0.3 port 3072, id=0,
length=191
User-Name = YEBENES MORENO, SERGIO (AUTENTICACIÓN)
NAS-IP-Address = 192.168.0.3
Called-Station-Id = 0014c145956f
Calling-Station-Id = 001cf01294dd
NAS-Identifier = 0014c145956f
NAS-Port = 27
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x022c01594542454e4553204d4f52454e4f2c2053455247494f2028415554454e544943414349c3934e29
Message-Authenticator = 0xa54b6486b856720c5b53d13d93a3c986
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = YEBENES MORENO, SERGIO
(AUTENTICACI�?N), looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
++? if (User-Name == YEBENES MORENO, SERGIO (AUTENTICACI�?N))
? Evaluating (User-Name == YEBENES MORENO, SERGIO (AUTENTICACI�?N)) -
TRUE
++? if (User-Name == YEBENES MORENO, SERGIO (AUTENTICACI�?N)) - TRUE
++- entering if (User-Name == YEBENES MORENO, SERGIO (AUTENTICACI�?N))
rlm_eap: EAP packet type response id 0 length 44
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
+++[DNIe] returns updated
++- if (User-Name == YEBENES MORENO, SERGIO (AUTENTICACI�?N)) returns
updated
++ ... skipping elsif for request 0: Preceding if was taken
++[unix] returns notfound
users: Matched entry YEBENES MORENO, SERGIO (AUTENTICACI�?N) at line
64
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type DNIe
auth: type DNIe
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[DNIe] returns handled
Sending Access-Challenge of id 0 to 192.168.0.3 port 3072
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0x4b4488b94b458530f65cf8f80cfd1f5e
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +8
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.3 port 3072, id=0,
length=199
NAS-IP-Address = 192.168.0.3
Called-Station-Id = 0014c145956f
Calling-Station-Id = 001cf01294dd
NAS-Identifier = 0014c145956f
NAS-Port = 27
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201005d0d001603010052014e030148791746f321838297028ad0310c01e89a8658b33fb6d1912141922b623886ab2600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
Message-Authenticator = 0x6e7ed6d984d2842c80ec94779dbd71c7
+- entering group authorize
++[preprocess] returns ok
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
++? if (User-Name == YEBENES MORENO, SERGIO (AUTENTICACI�?N))
(Attribute User-Name was not found)
++? elsif (User-Name == NOMBRE YEBENES MORENO SERGIO)
(Attribute User-Name was not found)
++[unix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -
++[attr_filter.access_reject] returns noop
Sending Access-Reject of id 0 to 192.168.0.3 port 3072
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 0 with timestamp +38
Ready to process requests.
why User-Name couldn't be found?
If first match with users file was ok and found DNIe module, radius
should begin tls handshake.
Does wpa_supplicant sends identity only in the rist Access-Request? this
sounds a little strange...
Any Sauron Eye which can help me? Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : certificate client.* non valid on windows XP
Thanx for your help Sergio, but it is exactly the same!! it doesn't work. - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 18h51mn 41s Objet : Re : certificate client.* non valid on windows XP Reveal MAP escribió: Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente. __ Informaci�n de NOD32, revisi�n 3263 (20080711) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3263 (20080711) __ Este mensaje ha sido
Get AD Profile
Hi all,
I have my freeradius deploy (2.0.2) configured to authenticate users against
Active Directory and that is working fine. But I want to retrieve user's
profile from Active Directory, to add VLAN ID (Tunel-Private-Group-ID) to
Access-Accept reply.
I really don't know how to do this and I could find a clear solution, either
in documentation (rlm_ldap) ot by googling. So I would appreciate if someone
could give me a hand on this.
What I've done so far is to add this entry to ldap.attrmap file: replyItem
radiusProfileDn memberOf. The profile I want to retrieve is the CN in this
object like cn=PROFILE,dc=domain,dc=com, but in radius debug I'm getting
this error:
++[ntdomain] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for figo
expand: %{Stripped-User-Name} - figo
expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -
(sAMAccountName=figo)
expand: dc=ldaptest,dc=pt - dc=ldaptest,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
(sAMAccountName=figo)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Failed to create the pair: Invalid octet string
CN=grupo1,DC=ldaptest,DC=com for attribute name radiusProfileDn
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user figo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
expand: %{Stripped-User-Name} - figo
expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} - figo
++[files] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
Using saved attributes from the original Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [LDAPTEST.COM\\figo/via Auth-Type = EAP] (from client portatil
port 0 cli 02-00-00-00-00-01)
Sending Access-Accept of id 17 to 192.168.10.200 port 33000
User-Name = figo
MS-MPPE-Recv-Key =
0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5
MS-MPPE-Send-Key =
0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d
EAP-Message = 0x03080004
Message-Authenticator = 0x
Is this the way I to achieve or I want or am I completely wrong?
Thnx,
Nelson Vale
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : certificate client.* non valid on windows XP
Reveal MAP escribió: Thanx for your help Sergio, but it is exactly the same!! it doesn't work. - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 18h51mn 41s Objet : Re : certificate client.* non valid on windows XP Reveal MAP escribió: Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity... so, I tried what you said: install Server.p12 as intermediate CAr, without resolving the problem. i will try to make my own certs and see. thanks! - I had the same problem. The fact is that server is an intermediate authotity and, using internet explorer, you need to install server.p12 into intermediate trusted ca containeer. Also check validity period (begining date). I had to change windows date to next day, but I don't remember why. Finally I made my own ca because default radius PKI was confusing me, and I used mi ca private key to sign client.* I hope that this help you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h09mn 34s Objet : Re: certificate client.* non valid on windows XP Reveal MAP escribió: hi, I use freeradius 2.0.5 and openSUSE 10.3 i ran bootstrap script + make client.pem, make.client.p12, - I imported ca.der on my xp laptop, located at the CA Authorithy containeer. I imported server.p12 too (just to verify the signature) and everything is Ok - But when i import client.p12, windows says me this certificated is not valid! and i dont know why. I executed two commands: server.vrfy and client.vrfy, hoping their output (below) could help. Thank you for helping - linux:/etc/raddb/certs # make server.vrfy openssl verify -CAfile ca.pem server.pem server.pem: OK make client.vrfy openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem c_rehash . Doing . 02.pem = eee97f35.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] client.pem = 583a9f4b.0 01.pem = dcd1729a.0 WARNING: Skipping duplicate certificate [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] server.pem = dcd1729a.1 WARNING: Skipping duplicate certificate 03.pem WARNING: Skipping duplicate certificate 04.pem ca.pem = 23537b55.0 openssl verify -CApath . client.pem client.pem: OK Envoyé avec Yahoo! Mail http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html. Une boite mail plus intelligente.
Re : Re : certificate client.* non valid on windows XP
Thanx a lot guy! I tried to create my own certificate (that i didn't verify), but i still encounter a problem generating the client certificate: the key file and and the .912 file are empty and i don't know why. (size 0 kb), and it gives no error message!! i will try the scripts you gave me... mine are below and could be have a mistake on cleints lines: - - ## # # Create a new self-signed CA certificate # ## # cakey.pem, cacert.pem: openssl req -new -x509 -keyout /etc/raddb/Md5CA/Private/cakey.pem -out /etc/raddb/Md5CA/cacert.pem -config /etc/raddb/Md5CA/conf/ca.cnf ca.der: ca.pem openssl x509 -inform PEM -outform DER -in /etc/raddb/Md5CA/cacert.pem -out /etc/raddb/Md5CA/cacert.der ## # requete de cerificat server openssl req -newkey rsa:1024 -keyout /etc/raddb/Md5CA/keys/radiusserver2_key.pem -out /etc/raddb/Md5CA/req/radiusserver2_cert.req -config /etc/raddb/Md5CA/conf/server.cnf # Signature du certificat server openssl ca -out /etc/raddb/Md5CA/certs/radiusserver2_cert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/Md5CA/req/radiusserver2_cert.req === == # requete de cerificat client #openssl req -new -nodes -keyout /etc/raddb/Md5CA/keys/toutou_key.pem -out /etc/raddb/Md5CA/req/toutou_cert.req openssl req -newkey rsa:1024 -keyout /etc/raddb/Md5CA/keys/toutou_key.pem -out /etc/raddb/Md5CA/req/toutou_cert.req -config /etc/raddb/Md5CA/conf/client.cnf # Signature du certificat client openssl ca -out /etc/raddb/certs/Md5CA/certs/toutou_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/Md5CA/req/toutou_cert.req # conversion du certificat client au format pkcs12 openssl pkcs12 -export -in /etc/raddb/Md5CA/certs/toutou_cert.pem -inkey /etc/raddb/Md5CA/key/toutou_key.pem -out /etc/raddb/Md5CA/certs/p12s/toutou_certs.p12 -clcerts ## # # Miscellaneous rules. # ## index.txt: @touch index.txt serial: @echo '01' serial random: @if [ -e /dev/urandom ] ; then \ dd if=/dev/urandom of=./random count=10 /dev/null 21; \ else \ date ./random; \ fi print: openssl x509 -text -in server.crt printca: openssl x509 -text -in ca.pem clean: @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem # # Run distclean ONLY if there's a CVS directory, AND it points to # cvs.freeradius.org. Otherwise, it would be easy for administrators # to type make distclean, and destroy their CA and server certificates. # distclean: @if [ -d CVS -a `grep -i 'cvs\.freeradius\.org' CVS/Root` ] ; then \ rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \ serial* random *\.0 *\.1; \ fi MBA OYONE Joël Lot. El Firdaous Bât GH20, Porte A 204, Appt 8 2 Oulfa Casablanca - Maroc Tél. : +212 69 25 85 70 - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Lundi, 14 Juillet 2008, 21h50mn 42s Objet : Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thanx for your help Sergio, but it is exactly the same!! it doesn't work. - Message d'origine De : Sergio [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 18h51mn 41s Objet : Re : certificate client.* non valid on windows XP Reveal MAP escribió: Installing ca.der, server.crt and client.crt, i obtain exactly the same result!! - Message d'origine De : Sergio [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 13 Juillet 2008, 16h59mn 38s Objet : Re: Re : certificate client.* non valid on windows XP Reveal MAP escribió: Thank you Sergio for your answer. - windows says too that one of the certificate authority seems to not be able to deliver certificate or can't be used as final entity...
