RE: EAP and NIS
EAP-TLS is cert based, EAP-TTLS is User/Password based. Creates a secure tunnel and then the less secure(but now protected and encrypted via TTLS) methods of authentication are used. MSChap, etc. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Pedro > Henrique Morsch Mazzoni > Sent: Monday, October 30, 2006 1:06 PM > To: freeradius-users@lists.freeradius.org > Subject: EAP and NIS > > Is there a way to use NIS to authenticate users with their passwords > when I am using EAP-TLS? > > Thanks, > Pedro Mazzoni > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
Got it up and running. Partially your help, and partially me going and forcefully breaking something to see what errors cropped up. Renamed the original PEM directory in OpenSSL and all sorts of errors popped up that led me to the discovery it was still using the DemoCA's CA to make the client and server certs, and not the CA created by the script. I've since got that fixed and it all works perfect now. Best way to fix a noncritial is to break it and see what goes really wrong! ;) Thanks, Brian. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Jason- > Wittlin-Cohen > Sent: Monday, October 09, 2006 1:45 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: EAP-TLS Certificate problems. > > > Date: Mon, 9 Oct 2006 11:26:51 -0400 > > From: "Brian vb" <[EMAIL PROTECTED]> > > Subject: RE: EAP-TLS Certificate problems. > > To: "'FreeRadius users mailing list'" > > > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset="us-ascii" > > > > Recreated certs, same issue came with the Issuer field. XPExtensions are > > used. Password is the same in this file an what Freeradius has just > changed > > to protect it. > > > > > > Here is the batch file I'm using to create the certs. I don't see > anything > > amiss between it and the page you sent.. any ideas? > > > > > > PATH=C:\openssl\bin;C:\ssl1;%path% > > export LD_LIBRARY_PATH=C:\openssl\lib > > > > > > CD\SSL1 > > > > REM CA Creation > > C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem > > -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved > > > > C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 - > cacerts > > -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved > > > > C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin > > pass:PassCodeRemoved -passout pass:PassCodeRemoved > > > > C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out > > root.der > > I'm not sure what you're doing here. First, "> C:\openssl\bin\openssl > req -new -x509 -keyout newreq.pem -out newreq.pem > > -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved" > > You're outputting the private key and public key to the same file. I'm > not sure if this will include both in the same file, or only create > one. Regardless, it's not what you want to do. Give the files unique > names. The clients and server need the public key and only the > certificate signing machine needs the private key. You don't want to > combine the keys. > > To create a CA: > > openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days > 365 -config openssl.cnf > > Also, why are you creating a p12 file for the CA? You certainly don't > want to hand out the private key to clients, and for certificate > signing, you only need the private key which can be stored in > cakey.pem for example. Clients should be given cacert.pem or > cacert.der depending on the format you use. The p12 format should only > be used for client certs because those need to combine private key + > certificate (at least for the MS supplicant). > > > > > REM Client cert Create > > C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days > 730 > > -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved > > Again, -keyout is used to creaate the private key, and -out to create > the certificate signing request which is then passed on to the CA > later. You're using the same filename, so I have no idea what's > happening. Either you have a certificate signing request and no key, > or a key without a signing request. Either way, it won't work. > > > You need to do something like this: > > openssl req -new -keyout client_key.pem \ > -out client_req.pem -days 730 -config ./openssl.cnf > > Notice that the key and the signing request are given different names. > > > > > C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem - > passin > > pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext - > extfile > > xpexts -infiles newreq.pem > > > > C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem > -out > > cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout > > pass:PassCodeRemoved > > > > C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin >
RE: EAP-TLS Certificate problems.
Recreated certs, same issue came with the Issuer field. XPExtensions are used. Password is the same in this file an what Freeradius has just changed to protect it. Here is the batch file I'm using to create the certs. I don't see anything amiss between it and the page you sent.. any ideas? PATH=C:\openssl\bin;C:\ssl1;%path% export LD_LIBRARY_PATH=C:\openssl\lib CD\SSL1 REM CA Creation C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out root.der REM Client cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext -extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der REM Server Cert Create C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem -passin pass:PassCodeRemoved -key PassCodeRemoved -extensions xpserver_ext -extfile xpexts -infiles newreq.pem C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Jason > Wittlin-Cohen > Sent: Monday, October 09, 2006 12:12 AM > To: freeradius-users@lists.freeradius.org > Subject: EAP-TLS Certificate problems. > > Brian vb said: "Ca is in trusted root stores under "Current User", and > client is in Personal > under "Current User". One thing I see when viewing the certs is the Root > has > "Locker Systems" (using a random name to keep the identity of my company > out > of the certs) as the issuer and the client has SSLeay Demoserver.. looks > like OpenSSL didn't make the certs right for some odd reason.. its like it > used its own CA root or something else happened. I will recreate the certs > but I'm quite sure I entered the same data in all certs except commonname > which I made the same as the machine the cert will reside on. Root ca > common > name didn't match any machine name. Where should the CA be? Machine or > User?" > > First, when you create the server and client certificates you need to use > the Microsoft attributes for > Server and Client authentication. > > [ xpclient_ext] > extendedKeyUsage = 1.3.6.1.5.5.7.3.2 > [ xpserver_ext ] > extendedKeyUsage = 1.3.6.1.5.5.7.3.1 > > I would suggest following the instructions here: > http://www.linuxjournal.com/node/8095/print > The howto is for setup of Freeradius on Linux, but it should be similar on > Windows because > it's the OpenSSL commands that matter when creating the certs. > > In order to find out if the certificate is correct, you can double click > the certifcate in the Personal store > and go to "Certification Path". You should see the certificate common name > as well as the common name of your Root CA. > If you don't something is wrong. You should also see "This certificate is > OK" in the Certificate status box. > If this isn't the case, either the certificate was signed by the wrong CA, > or the Root CA wasn't properly loaded into the User > "Trusted Root Certificate Authorities" store. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
The "surgery" performed was simply to remove the repeating lines and define the two separate errors. Certs are in files, user has permission to read them (buried it in the users own profile directory to secure them better) I have the XpExtentsions and its referenced in the cert creation batchfile I have. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Phil > Mayers > Sent: Sunday, October 08, 2006 3:33 PM > To: FreeRadius users mailing list > Subject: Re: EAP-TLS Certificate problems. > > Brian vb wrote: > > the radius systems log. I have created 3 certificates, Root, Client, > Server. > > The Root and Client certificates were installed via the MMC snapin and > > Import wizard in XP. Any idea on what could be causing the errors? If I > > On the server, the certificates are in *files* yes? > > tls: private_key_file = "C:/Docume~1/radius/rcerts/cert-srv.pem" > tls: certificate_file = "C:/Docume~1/radius/rcerts/cert-srv.pem" > tls: CA_file = "C:/Docume~1/radius/rcerts/root.pem" > tls: private_key_password = "SuperSecretCode" > > They're there and valid? > > > Sending Access-Challenge of id 50 to 10.1.1.189 port 1039 > > EAP-Message = 0x0104000a0d80 > > Message-Authenticator = 0x > > State = 0xd2f07585b4ad88459f3f0f28a7fa6fb2 > > Finished request 2 > > Going to the next request > > Waking up in 6 seconds... > > --- Walking the entire request list --- > > Cleaning up request 0 ID 48 with timestamp 45283c27 > > Cleaning up request 1 ID 49 with timestamp 45283c27 > > Cleaning up request 2 ID 50 with timestamp 45283c27 > > Nothing to do. Sleeping until we see a request. > > This looks like the server certificate doesn't have the magic oids - the > XP client stops halfway through. Search the archives for "magic oids" > > > > > > Error 1 is seen if I have Validate Server Certificate check on the XP > > Laptop. > > > > --Error 1-- > > Sat Oct 7 19:35:58 2006 : Error: TLS_accept:error in SSLv3 read > client > > certificate A > > -- > > > > > > > > > Error 2 is seen if Validate is unchecked on the laptop > > > > --Error 2-- > > Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read > client > > certificate A > > Sat Oct 7 19:34:35 2006 : Error: --> verify error:num=20:unable to get > > local issuer certificate > > Sat Oct 7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA > > Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read > client > > certificate B > > Sat Oct 7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a > system > > call (-1), TLS session fails. > > Sat Oct 7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/ > User-Password attribute>] (from client netnas port 11 cli 0014a5104864) > > - > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > Since you've obviously performed some kind of surgery on the debug logs > here, it's difficult to determine precisely what the context for these > two errors are. What is the single, full, unaltered debug output for the > failure case you're actually trying to solve? > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
Ca is in trusted root stores under "Current User", and client is in Personal under "Current User". One thing I see when viewing the certs is the Root has "Locker Systems" (using a random name to keep the identity of my company out of the certs) as the issuer and the client has SSLeay Demoserver.. looks like OpenSSL didn't make the certs right for some odd reason.. its like it used its own CA root or something else happened. I will recreate the certs but I'm quite sure I entered the same data in all certs except commonname which I made the same as the machine the cert will reside on. Root ca common name didn't match any machine name. Where should the CA be? Machine or User? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Jason > Wittlin-Cohen > Sent: Sunday, October 08, 2006 2:13 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: EAP-TLS Certificate problems. > > > > Hi, I'm trying to get Freeradius up and running on a WinXP box (win > haters. > > be nice ;) ) I have downloaded, installed, and configured the Freeradius > > version from www.freeradius.net. The server starts seemingly without > errors. > > However when I try to connect with my XP laptop I get a certificate > error on > > the radius systems log. I have created 3 certificates, Root, Client, > Server. > > The Root and Client certificates were installed via the MMC snapin and > > Import wizard in XP. Any idea on what could be causing the errors? If I > > need to post file contents, let me know which ones. Using EAP-TLS(cert > > based) not EAP-TTLS(user-pass based). Xp laptop is stuck at "Attempting > to > > Authenticate." > > > Welcome to the Freeradius mailing list, and thank you for providing > debug log to help us sort out this issue. The debug information will > tell you exactly why it's being rejected (i.e. no certificate was sent, > certificate was signed by another CA). I believe I know what's going > wrong. > > The CA public cert should be stored in the "Trusted Root Certification > Authorities" certificate store. If it's anywhere else, Windows won't > authenticate the server and it will look like it's failing- when it's > doing what you asked it to do. In this scenario you won't see any error > output from Freeradius because Windows has stopped attempting to connect. > > Your user public certificate must be stored in either your User or > Machine Account "Personal" Certificate store (this is the first option > in the snap-in). Also, if you have more than one certificate in your > personal store, do not use "simply certificate selection". Windows will > choose the one highest in the list (It did for me). Manually select the > certificate you want to use. > > Read this howto and follow the "Configuring Windows XP Clients" guide. > It will tell you exactly what to do. See > http://www.linuxjournal.com/node/8151/print > > Here is what's happening currently: > > > Error 1 is seen if I have Validate Server Certificate check on the XP > > Laptop. > > > > --Error 1-- > > Sat Oct 7 19:35:58 2006 : Error: TLS_accept:error in SSLv3 read > client > > certificate A > > -- > > > > > When you enable Server verification, Windows checks to see if the > server's certificate is signed by a trusted Root CA that you specify. > Since you didn't install the CA to the "Trusted Root Certificate > Authorities" certificate store, the Windows supplicant refuses to > continue authenticating and Freeradius has nothing to do. This error > doesn't actually mean anything. I see it when I have a successful login. > You're not seeing an error- which means the problem is on the client > side. This can be remedied by installing your Root CA in the "Trusted > Root Certification Authorities" certificate store. > > Here's a successful authenticaiton from my radiusd.log. You'll notice > the read client certificate A error. It can safely be ignored. > > Sun Oct 8 03:13:56 2006 : Error: TLS_accept:error in SSLv3 read > client certificate A > Sun Oct 8 03:13:56 2006 : Error: rlm_eap: SSL error > error::lib(0):func(0):reason(0) > Sun Oct 8 03:13:56 2006 : Error: rlm_eap: SSL error > error::lib(0):func(0):reason(0) > Sun Oct 8 03:13:56 2006 : Auth: Login OK: [Jason Wittlin-Cohen] (from > client WLAN port 8 cli 00095b93459e) > > > Error 2 is seen if Validate is unchecked on the laptop > > > > --Error 2-- > > Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read > client > > certificate A > > Sat Oct 7 19:34:35 2006 : Error: --> verify error:num=20:unable to get > > local issuer certificate > > Sat Oct 7 19:34:35 2006 : Error: TLS Alert write:fatal:unknown CA > > Sat Oct 7 19:34:35 2006 : Error: TLS_accept:error in SSLv3 read > client > > certificate B > > Sat Oct 7 19:34:35 2006 : Error: rlm_eap_tls: SSL_read failed in a > system > > call (-1), TLS session fails. > > Sat Oct 7 19:34:35 2006 : Auth: Login incorrect: [shadowwolf/ > User-Pas
EAP-TLS Certificate problems.
Hi, I'm trying to get Freeradius up and running on a WinXP box (win haters. be nice ;) ) I have downloaded, installed, and configured the Freeradius version from www.freeradius.net. The server starts seemingly without errors. However when I try to connect with my XP laptop I get a certificate error on the radius systems log. I have created 3 certificates, Root, Client, Server. The Root and Client certificates were installed via the MMC snapin and Import wizard in XP. Any idea on what could be causing the errors? If I need to post file contents, let me know which ones. Using EAP-TLS(cert based) not EAP-TTLS(user-pass based). Xp laptop is stuck at "Attempting to Authenticate." Checked options on laptop are.. Authenticate as Computer when info is available (checked) Authenticate as guest when comp/user info unavailable (UNCHECKED) Use a Certificate on this computer.(checked) Use Simple Cert selection (sub option, also checked) Validate Server Cert (checked) Trusted root I created/installed is checked Thanks, Brian. --- System configuration --- XP Desktop, SP2, FreeRadius, Wired to Network. Firewall off. XP Laptop, SP2, Wireless to network, firewall off. Netgear WG302 Prosafe AP. Wired to network. 3 Logs to post.. Debug and two errors. ---Logs--- -Debug- C:\PROGRA~1\FreeRADIUS.net-1.1.1-r0.0.1\bin>radiusd.exe -d C:\progra~1\freeradiu s.net-1.1.1-r0.0.1\etc\raddb -AX Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/etc/raddb/proxy.conf Config: including file: C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/etc/raddb/clients.conf Config: including file: C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/etc/raddb/snmp.conf Config: including file: C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/etc/raddb/eap.conf Config: including file: C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/etc/raddb/sql.conf main: prefix = ".." main: localstatedir = "C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/var" main: logdir = "C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/log/" main: libdir = "C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/lib" main: radacctdir = "C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/log//radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/log//radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/bin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "C:/Progra~1/FreeRADIUS.net-1.1.1-r0.0.1/log//radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512
