Re: Freeradius error: Discarding conflicting packet
Jep, in my case I use about 30 AP's from Linksys (WAP54g). They all appear to be broken. To bad, but then again a reason to integrate the N standard with other AP's... :) 2008/11/4 Stephen Bowman [EMAIL PROTECTED] But what do you mean for fix the nas? Should I use another brand/model of AP? What I am trying to tell you is are the about of 30 AP's that I am using broken? Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
I use the EAP/TTLS and EAP/PAP scheme. I have the same error as you but is somewhat at ramdom. In my case, APs Linksys WRT54GL has OpenWRT WhiteRussian installed. Could be some bad in clients? I've seen things too weirds in Mac OS X clients... I'd like to know if your problems have been fixed with Asus WL-G330ge. Also, I think that overlapping channels can be causing the error, so I'll change that... Hi, I can tell you that with my tests, I figured out that it's happening with all sorts of clients (MacOSX, XP, Vista). It appears only to be happing with the WAP54G (and now the WRT54GL you say). When I replaced the WAP54G with a WAP200, the errors disappeared with the same clients. I tested this on many locations with many different clients and everywhere the same results. It must be the WAP54G then. I'm still using those AP's and I keep getting the error in the logs. It's indeed quite random. The error seems not harmful (although the sourcecode of freeRadius says the AP is broken). I haven't been able to link complaints of customers to this specific error, so I guess I should just stop paying attention. I ruled out the possibility that overlapping channels are causing the problem. I tested it with overlapping channels and without. Nothing changes regarding the error. I mailed Linksys about the problem, and they sent me a newer beta-firmware which isn't on their website. It's for the WAP54G ofcourse. If you want it, I put it on our website here: http://www.orxnet.org/files/http://www.orxnet.org/ WAP54G-Cisco-EU-EN-3.08.02.zip It works, but doesn't give me the results I hoped for. So, I don't have the solution, but I guess it's not really that bad. If you ever solve the problem I'd like to hear it! :) Good luck! Gr, Jelle Greets- -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap without client side certificate
But please do give the client the radius-server-cerificate so it knows which server to authenticate with. If you don't use that certificate anybody can set up a (intermediate) radius-server and make you authenticate with that (without you knowing it). After that, all your data will flow though this malicious server and information could be stolen! gr, jelle 2008/9/6 Alan DeKok [EMAIL PROTECTED] Ahmet DÜLGAR wrote: Finally i run freeradius 2.0.5 + mysql +wpa with peap mode by your helps i choose peap because in documents says peap doesnt need clint side ceritficate Yes. still i cant understand the certificate types i create it by /etc/raddb/certs make is there other way to build only server side certificates or other type mode like peap Huh? The certificates created by the Makefile in raddb/certs can be used by the server. It produces a client certificate, but there's no requirement for you to use it. i dont want to give my custemers client certificates, Then don't. i will use freeradius in a hotel like a hotspot, so they will need only user name and pass they will se my ssid and try to login by user name and password, they shouldnt change any configiration or install anythink else, this is my project ,how can i do it simply Follow the instructions on my web site. Don't give the clients a certificate. It's that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Certificate problem on Windows XP clinet ...
Well, since we still don't know anything... You could try rebuilding the certs with the following scripts and use those scripts in freeRadius. The scripts makes CA certs, server certs AND client certs. Good luck! scripts: http://wiki.freeradius.org/WPA_HOWTO#Step_1:_Make_Certificates jelle 2008/8/23 Venkata LK Mula [EMAIL PROTECTED] Hi Ivan, network Roaming test2 in which Roaming test2 is the SSID. regards, Venkat - Original Message - From: Venkata LK Mula To: FreeRadius users mailing list Subject: Re: Fwd: Certificate problem on Windows XP clinet ... Date: Sat, 23 Aug 2008 08:31:01 +0530 Hi Ivan, network Roaming test2 in which Roaming test2 is the SSID. regards, Venkat - Original Message - From: Ivan Kalik To: FreeRadius users mailing list Subject: Re: Fwd: Certificate problem on Windows XP clinet .. Date: Sat, 23 Aug 2008 01:51:24 +0100 How? What do you think we know about network Roaming test2 setup? Ivan Kalik Kalik Informatika ISP Dana 22/8/2008, Venkata LK Mula piše: Hi, Can any body respond to my earlier requst please. regards, Venkat - Forwarded Message - From: Venkata LK Mula To: Subject: Certificate problem on Windows XP clinet ... Date: Thu, 21 Aug 2008 00:33:26 +0530 Hi, Regarding the above mentioned subject, we are facing the problem of Windows was unable to find the certificate to log on to the network Roaming test2. Though the certificates are installed properly, and when we are using the same certificates for 'PEAP-MSCHAPv2' with 'validate server certificate' working fine. Can any one look into the same and respond me back please. regards, Venkat [Attachment: cacert.der] [Attachment: clinet.p12] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I've started to put the book online
Just great! Thanks, I'll be sure to read it. 2008/8/19 Alan DeKok [EMAIL PROTECTED] http://deployingradius.com/book/ Only parts of the first chapter are online. It covers the basic concepts behind RADIUS, and should hopefully address a number of common misunderstandings about how it all works. Keep checking the site. More will be coming later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solutions: Various certificate issues with MACOSX (TLS Errors)
Hi, I'm posting this to the list just for future reference. Though this may not seem a freeRadius issue, it still had a lot to do with it. Probably people with the same issues will look in this list for answers. I've been struggling with various freeRadius certificate issues the past year. Mainly Apple's OSX had problems with connecting. The problem got more complicated because different OSX versions reacted differently and had to be configured differently. The errors that kept popping up in the freeRadius logs (and because of which authentication failed) where: Tue Jun 24 16:18:26 2008 : Error: TLS Alert read:warning:close notify Tue Jun 24 16:18:26 2008 : Auth: Login incorrect: [UserX/via Auth-Type = EAP] (from client NAS-name port 62 cli 001d4ffdebe8) The error on the OSX client was something like 802.1x Authentication has failed or it gives a TLS error. I recently found how to solve the problem on all Apple OSX clients. Looking backward it seems obvious, but I struggled with it for a long time nevertheless. Configuration: * Server: freeRadius 2.0.5 using PEAP without client certificates. !Server certificate is self-signed! * AP: Linksys WAP54G, WPA-Enterprise, AES * Client: Apple MacOSX (tested with 10.3x 10.4x and 10.5x) Problem: * The Airport was configured as follows: - Created new 802.1x connection and set Configuration: Disable 802.1x login, set username, password and network and set ONLY PEAP (for what I use on my WLAN). - Now connect to the network with WPA-Enterprise, username, password and 802.1x authentication. What will happen is that either you get a popup window regarding the self-signed servercertificate and you should push 'Continue' or authentication will fail. When you get the popup window, push 'Continue' and the Airport will connect correctly. Make sure you DON'T set the trust settings regarding the certificate to Always trust because then authentication will fail in the future. I don't know why this is the case, it just is... It means your users will always have to push the 'Continue' button when connecting. When authentication fails without a certificate popup, you probably already have a certificate installed (OSX did that itself) that refers to your freeRadius server. Could be the test certificate when freeRadius was launched for the first time. To resolve the problem on the OSX client go to Programms - Utilities - Keychain access and look for certificates regarding your radius-server. Now delete them or, if the certificates are the right ones, set the 'trust settings' to Ask (every time). The main problem here is how OSX deals with self-signed certificates. It somehow needs to ask the user for accepting the certificate every time it connects to freeRadius. When OSX is set to always trust it, it fails to send the right credentials or authentication information. I will try it with a certificate from a Certified CA. OSX should accept that one immediately. More on that later. If anybody has more/other information on this, I'm happy to read that! :) Yours, Jelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bind socket?
Your radiusd is still running. Stop it first before you start another pid. jelle 2008/6/23 ELOM ETSE [EMAIL PROTECTED]: While i was resolving the problem of lib rlm_exec, i meet whith this another problem. ERROR: Failed to open socket: cannot bind socket: Cannot assign requested address /usr/local/etc/raddb/radiusd.conf[236]: Error binding to port for 192.168.2.15 port 1812 I try to get a suitable answer on web but unfortunately i did not. Can you help me please? -- Envoyé avec Yahoo! Mailhttp://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html . Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Aoth Type problem again
So, for the sake of 'clean' configs I reinstalled freeRadius 2.0.5 (which I was running before btw..) and changed nothing except default_eap_type = peap. To my amazement it ran perfectly! Then I turned MySQL auth on and it worked! After all these hours figuring out freeRadius and following HowToos, it now runs out of the box! Where there so many changes from 2.0.3 to 2.0.5? Anyway, thanks for all the help Alan and Ivan! Jelle 2008/6/20 Alan DeKok [EMAIL PROTECTED]: Jelle Langbroek wrote: Hi, I know it's plain English but I still can't figure out where the warning is comming from and what I have to change. It finds the password, but still gives the auth(failure): You're running 2.0.4, and you need to install raddb/sites-enabled/inner-tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authentication method (AUth Type) problem.
Yep, I got the same error with 2.0.5 (SQL, not LDAP). It might have something to do with the radgroupcheck table not having the Aut-Type set correctly (to EAP maybe?). Hadn't got time for testing that. Maybe you have some use for this information. Please post if it works! Jelle 2008/6/19 Andy An [EMAIL PROTECTED]: Hi: I am a new guy to deal with freeradius/wireless stuff. I use freeradius 2.0.5 with LDAP back end. If I test with radtest (localhost) or with NTRadPing (from another WINXP machine)it works fine(return Access-Accept). But if I test with MAC Airport as a client and Netgear WG 302 as a AP it fails again and agian no matter how I adjust the configuration file around (e.g. eap.conf, sites-eabled/ldap, radiusd.conf etc.) Thanks in advance for any help/clue/guide. P.S. ---Mac client settings: 802.1x enabled with PEAP(outer identity: none) and TTLS(inner auth: mschapv2 outer identity: none) Security: WPA enterprise ---Netgear WG302 settings: Security: WPA with radius Data encrypt: TKIP+AES Auth server port: 1812 Acc server port: 1813 --- the info cut from the radiusd.-X output: rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user andyan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user *(It might be problematic from here)* auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - andyan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 23 to 10.10.10.228 port 1059 EAP-Message = 0x04050004 Message-Authenticator = 0x Finished request 5. Going to the next request - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MacOSX Leopard authentication with Freeradius
Hi, I'm using freeRadius 2.0.3 on my WLAN. I have WindowsXP, WindowsVista and Apple (OSX) clients. Windows clients authenticate well with freeRadius but I have problems with OSX Leopard. I can't figure out where the problem originates from. I'm using MySQL, Cleartext-Passwords, PEAP auth, WPA-Enterprise, AES. The error that pops up while authenticating OSX is the following (see below for extended logs): Tue Jun 17 20:02:53 2008 : Error: TLS Alert read:warning:close notify Tue Jun 17 20:02:53 2008 : Auth: Login incorrect: [userX] (from client NAS1-WiFi port 8 cli 001c34c14d76) Does anybody have experience with OSX clients and freeRadius? Does anybody have a radiusd and eap configuration file which is known to work with OSX Leopard and could you post it to me? Ofcourse I realise that the problem could be with the AP (WAP54G) or the clients itself. I've done many hours of testing/reading though but can't figure out what's causing it. Ok, thanks for all your help! gr, Jelle Logs of radiusd -X: - As you can see I use a littlebit of a hacked version of the SQL implementation to use another MySQL table (integration with Lan Management System), but that shouldn't matter. As I said, other clients authenticate without problems. User-Name = userX NAS-IP-Address = 172.16.27.18 Called-Station-Id = 001a70abad32 Calling-Station-Id = 001b63c13f76 NAS-Identifier = 001a70abad32 NAS-Port = 8 Framed-MTU = 1400 State = 0xeb256c65e8d575619976542f479f49d4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02f0002f198000251503010020c5ac7365546396895a7fb74e2ab11d3ec7a8f2de0a7c761fda82cbd9f1a99de2 Message-Authenticator = 0x2f90d0e5a8325a3bf379f1243dda8195 +- entering group authorize ++[preprocess] returns ok expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/172.16.27.18/auth-detail-20080617 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.27.18/auth-detail-20080617 expand: %t - Tue Jun 17 20:17:07 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = userX, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 240 length 47 rlm_eap: Continuing tunnel setup. ++[eap] returns ok expand: %{User-Name} - userX rlm_sql (sql): sql_set_user escaped user -- 'userX' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT ownerid as id, username, 'Cleartext-Password' as attribute, passwd as value, ':=' as op FROM nodes WHERE username = 'userX' ORDER BY id expand: SELECT 'dynamic' as groupname FROM customers WHERE name = '%{SQL-User-Name}' ORDER BY id - SELECT 'dynamic' as groupname FROM customers WHERE name = 'userX' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 37 rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: TLS 1.0 Alert [length 0002], warning close_notify TLS Alert read:warning:close notify SSL Connection Established rlm_eap_tls: Application Data rlm_eap_peap: Tunneled data is invalid. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [userX/via Auth-Type = EAP] (from client NAS1-WiFi port 8 cli 001b63c13f76) Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 EAP-Message = 0x04f4 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 9 ID 0 with timestamp +33 - List info/subscribe
Re: simple web interface
Wow! That looks absolutely great! I've searched a lot for an interface like that. Right now I have Radius (mysql) connected to our LAN Management System (LMS). Also great by the way... Thanks! gr, jelle On 15/06/2008, Liran Tal [EMAIL PROTECTED] wrote: Hey Vittore On Tue, Jun 3, 2008 at 1:25 PM, Vittore Zen [EMAIL PROTECTED] wrote: Hi, anyone have a simple php web mysql users interface? More more more simple that dialup admin. The manager will do: 1. insert/modify a user account 2. give a password 3. setup start-end life (time) of account 4. setup a detail (name) daloRADIUS is a RADIUS web application for management and many more. The website contains much more information as well as Wiki, HowTos, screenshots, and even a login free demo installed on a public server so you can get a good impression. http://sourceforge.net/projects/daloradius Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls authentication problem
So, you should probably create a new certificate with a certified CA or a correct own CA. Install openssl and follow a howto on creating new certificates. Make sure you match Common Name to server.domainname Furthermore change certificate options (like password) in eap.conf. gr, jelle rlm_eap_tls: TLS 1.0 Handshake [length 0377], Certificate -- verify error:num=20:unable to get local issuer certificate chain-depth=0, error=20 -- User-Name = mike -- BUF-Name = mike -- subject = /C=NL/ST=Netherlands/O=C2C/CN=mike/[EMAIL PROTECTED] -- issuer = /C=NL/ST=Netherlands/O=C2C/CN=BDHZ_server/[EMAIL PROTECTED] -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 6996:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2004: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls authentication problem
Oh, and when using TLS, install client certificate on client. 2008/6/15 Jelle Langbroek [EMAIL PROTECTED]: So, you should probably create a new certificate with a certified CA or a correct own CA. Install openssl and follow a howto on creating new certificates. Make sure you match Common Name to server.domainname Furthermore change certificate options (like password) in eap.conf. gr, jelle rlm_eap_tls: TLS 1.0 Handshake [length 0377], Certificate -- verify error:num=20:unable to get local issuer certificate chain-depth=0, error=20 -- User-Name = mike -- BUF-Name = mike -- subject = /C=NL/ST=Netherlands/O=C2C/CN=mike/[EMAIL PROTECTED] -- issuer = /C=NL/ST=Netherlands/O=C2C/CN=BDHZ_server/[EMAIL PROTECTED] -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 6996:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2004: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius error: Discarding conflicting packet
Hi, Thanks for your reply. I began testing different setups immediately. I located 1 AP which didn't regenerate the error (AP1) and swapped it with one which did generate the error (AP2). I then saw that AP1 (which now was located on the place of AP2), began generating the same errors. The clients are fixed , so I tested with the same clients on that location. My conclusion: 1) The error probably has something to do with the WAP54G, but; 2) The error is only produced in combination with some clients (don't know if it's a hardware issue, because it seems to have nothing to do with the OS. OSX and Windows Vista/XP are all 'sometimes' producing the error. 3) It might have something to do with overlapping channels, but my tests are not yet conclusive about that. It's all so much trial and error... I decided to just buy another AP (WAP200) to test and see if the same error pops up. I'm also going to try an Asus WL-G330ge, just to be sure. More on that later... Jelle ps: The models I use are Linksys WAP54G, v3.1, with firmware version 3.05. 2008/6/11 Alan DeKok [EMAIL PROTECTED]: jelle-e wrote: Everything seems to run smoothly but before every login attempt the logs say (something like): Error: Discarding conflicting packet from client NAS-NAME port 3072 - ID: 3 due to recent request 28. That's pretty definitive. After that the user logs in correctly. I have no idea where to start searching for the answer. Since this error appears to occur on every AP, I don't think they're all 'broken'. It's possible. If they're all the same manufacturer and software version, they could all have the same bug. Does anybody have an idea? Thanks in advance! Run tcpdump or wireshark to look at the packets. Odds are the AP's *are* sending conflicting packets. Look for 2 packets from the same client IP port, with the same RADIUS code and ID, within a second of each other. If the packet contents are different, then the AP is broken. i.e. You can believe that FreeRADIUS is broken, but *only* on your system... and not on the other 10,000 systems with 100's of 1000's of AP's. Or, you can believe that your AP's are broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius error: Discarding conflicting packet
Hi, I've enabled extensive logging and radiusd runs as daemon process (# /usr/local/sbin/radiusd). I have a medium sized network with about 25 Access Points (AP's) now (Linksys WAP54G). It runs with following encryption options: WPA-Enterprise, AES, PEAP, mschapv2, without using certificates. Everything seems to run smoothly but before every login attempt the logs say (something like): Error: Discarding conflicting packet from client NAS-NAME port 3072 - ID: 3 due to recent request 28. After that the user logs in correctly. I have no idea where to start searching for the answer. Since this error appears to occur on every AP, I don't think they're all 'broken'. Does anybody have an idea? Thanks in advance! In the freeradius source I found the following regarding the error: gettimeofday(when, NULL); when.tv_sec -= 1; /* * If the cached request was received * within the last second, then we * discard the NEW request instead of the * old one. This will happen ONLY when * the client is severely broken, and is * sending conflicting packets very * quickly. */ if (timercmp(when, request-received, )) { radlog(L_ERR, Discarding conflicting packet from client %s port %d - ID: %d due to recent request %d., client-shortname, packet-src_port, packet-id, request-number); return 0; } -- View this message in context: http://www.nabble.com/Freeradius-error%3A-%22Discarding-conflicting-packet%22-tp17762728p17762728.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS - invalid Message-Authenticator
Hi, I have setup freeradius-0.9.3-106.6 on SuSE Linux 9.1 for EAP/TLS Authentication using a US Robotics Wifi AP2249. I followed the steps described on http://text.dslreports.com/forum/remark,9286052~mode=flat - CA certs private key OK - radius server cert private key OK - wifi client cert private succesfully imported with pkcs12 into WinXP Home Edition SP1 (all certs are generated by openssl-0.9.7d-15.13) - wifi AP configured for 802.1x with shared secret (also on radius server): client 10.123.27.5 { secret = secret shortname = wifi } - configured Radius server for tls auth: eap { default_eap_type = tls tls { private_key_file = /etc/raddb/eapow/eapow_priv.pem certificate_file = /etc/raddb/eapow/eapow.cert CA_file = /etc/raddb/eapow/ca_cert.pem dh_file = /etc/raddb/eapow/dh random_file = /etc/raddb/eapow/random fragment_size = 1024 include_length = yes } } - WinXP client configured for EAP/TLS using the imported certificate - created the user in the radius server When I try to connect my WinXP client to the AP, i can see incoming request but i get this error: Sat Jan 29 12:20:41 2005 : Error: Received packet from 10.123.27.5 with invalid Message-Authenticator! (Shared secret is incorrect.) Although the same secret is configured in both the AP and the Radius server. Any ideas ? -- Friendly regards, Jelle Vink X-Truder Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS - invalid Message-Authenticator
On Saturday 29 January 2005 18:14, Alan DeKok wrote: Jelle Vink [EMAIL PROTECTED] wrote: I have setup freeradius-0.9.3-106.6 Why? 1.0.1 has been out for months, and has many bugs fixed and features added. OK, just installed the latest version available from SuSE themself. I will compile the latest one from the freeradius website. Thanks, Jelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html