Radius client can not connected!
Hi all, Need help. I'd been doing this for sometimes and can't get it solved. Client try to communicate with server but just can't get it connected. here are the message: Waking up in 4.7 seconds. User-Name = "testing" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x50713d8653743023ce88a0c1a1b930fe EAP-Message = 0x020505c50d8005bb160301058b0b00037b0003780003753082037130820259a003020102020102300d06092a864886f70d01010405003070310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311730150603550403140e4d6172734e65745f5365727665723120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730383032323630315a170d3131303730383032323630315a306f310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520 EAP-Message = 0x496e632e311730150603550403140e4d6172734e65745f436c69656e74311f301d06092a864886f70d010901161075736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d9c82149515d4198e7647e1dd2fdaba3dd274d89fe59259ea656b5550118896812a05a0bad9307dda14f88582a1cfd1b8f475aabfc4e7ee2618d195fdb4fed673093982696a14d7a929c8590bfb32a930ee363d15a2ddadaf398d497527addbb88562c48803840ac7ab5cfd47709718078cee8489a415783ff1149bd2d8c4abd5ed1c83811392890b60e65dcfe3fae892d4ab0e3f98506387d47094656bb EAP-Message = 0xc7b5fdebc4b342b797d0dcc7a3fdd68cfa52490ec10a1e4a5d9cc82decc3f7340611755269c937f882478b6a875c460ea997351f33291f4f94bc7661b7f76a5457479f72639fc9acf815aa5ed438309a1695ffe34f1f967ad8f0b63d2e72f71240050203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101008cb12a5b0e048b822dd0e435fdb3c808a183a2bfe5b8970d24c8d7d8de6183ac6bd0978accaa284093f927e49b512056fd5850cd2211016f0d68099bc90a2bf2fb93ab3f6a2552fe2b094ffb8830aabe7d00871f1f8b882d3bfec10f73a7af1688a51a2e915597276d EAP-Message = 0x0e2c716dbd340dba22124f473ea8396e799c6de451101cb64cc0e8913535dc79d23e6194878814e7d6baa7a1ba616947cfe5d368a83f5db7e71e95e9b90f189033e9851b1d8419c4ab78b988ca9c4ff1163ed3e390e486bfc803e176cb108e7c31b51c5b618e644a046f7a60f232b0d57c47f1626a96115e83d457a3ad661c064986ebdd3629ef50b6a0d67e7b923d4a0d288b3652d98e110201003c14f10ae05a07ca00d74116971fd5d146e8640db1f58ebebf6e49c7cd8dabe98da7b6461af55c77e5fbde2336eb2914ceb3a6e09cdb6a46989cd9e22983bc672387ff0483700a70e396a9f844edd9ac4bb95c4b2a3bc45755d9408e41b37034 EAP-Message = 0x32c84f5b11d84870904e298defb383734235d6f67c9d9c0dfe20ed207fa3fe539571566103e2f55ee41cd3c7d6d9019f224594853387f67ccf453aa85ead173fa5059922888c7de3a689745cdc800423fc43522a91ee235704264a60eec90c62d01fde3cdda4f81666c26f8681c08b4a18b447d9971270ce92391e5c54f2537b3f7ff791fe7863daa40f6e0e244a02dab97755b4de554a21973a34dab24815ae0f00010201001b8569aff3bd371c1c7d782df9db0e00468d7806f2b5307f49dd2d4c5507aec96fe0db1fa401a613e021eec225eedf95303d1b2af768c011541086e89933d72b07d56d5a588e96d79906e1672e016fd5694fe694990ded EAP-Message = 0x9dc92e8f839a0e40cc7a7563476be125135d91d45ed4b5c978273b5e1d0e30cb655d8d1a011fe0d7c93e21603ee63e618566dbf126d95e68f8bf1e2bfbf8145a3894ddeb74923d45fbac9fdbde4cd7bf070931c74a4a7d3153a4e5de2d74c4f6f6191e639f57d2d18a256f240726a7b3100fec13048cddc9a99f594c82742aeb918959fe193bd1cb691a81fbf413aaba7e57cca12151350d96dc18a4b0af99d63cb68c1a5214a087a21403010001011603010020251f2329bd8931db05f4268228c4258ec07f3d2bb9281b1b83b584b08b75214d Message-Authenticator = 0xd97d042e7cb701a8720f28f6c5f1292b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 91 expand: Hello, %{User-Name} -> Hello, testing ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS TLS Length 1467 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 037f], Certificate --> verify error:num=20:unable to get local issuer certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:e
Radius
Hi Ivan, Here I want to ask for your advise. I have a server with two ethernets connection. Internet --- [eth1] (DNS, DHCP server, Radius Server) Red Hat [eth0] - Wifi (Client) If I plugin XP to eth0 (network line), the server will assign an IP address to that computer and immediately able to connect to internet (iptables redirect traffic to eth1). then I try to authenticate the wifi client I wonder why the NAS-IP-Address always show 0.0.0.0 but when I run radtest on terminal server it shows IP address.. # radtest MarsNet 000 localhost 0 testing123 User-Name = MarsNet User-Password = 000 NAS-IP-Address = 192.168.1.10 ( server IP address) NAS-Port = 0 # I guess this might be the problem causing the client fail to connect to server. (Client never connected but instead showing "acquiring network address") Further for testing purpose if I want to switch the incoming authentication through eth1, which ports shall I open? In previous email you were mention about client attribute fail. How to fix it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS
Thanks for the tips. If the certificates are fine then the only problem here is the radius server. XP can not authenticate the client & can't get connected. here the output Ready to process requests. User-Name = "MarsNet_Client" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02020013014d6172734e65745f436c69656e74 Message-Authenticator = 0x00ebc8fcffd2c906e2d36ec4fff17d3a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "MarsNet_Client", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7382effe7381e2540240fd45d4418b28 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 1 with timestamp +930 Ready to process requests. User-Name = "MarsNet_Client" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02010013014d6172734e65745f436c69656e74 Message-Authenticator = 0xd79261edb8c5b177b0b6334837684449 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "MarsNet_Client", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xae557800ae5775e5b09645c04263a306 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +950 Ready to process requests. --- On Mon, 7/7/08, Ivan Kalik <[EMAIL PROTECTED]> wrote: From: Ivan Kalik <[EMAIL PROTECTED]> Subject: Re: Private key To: "FreeRadius users mailing list" Date: Monday, July 7, 2008, 10:38 PM Why do you care if "Windows does not have enough information to verify this certificate"? Does radius server have any problems with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Private key
Hi, Need Help!! I had generated from the server CA.der, client.p12 and server.p12. CA.der installed in XP Prof and work fine but client.p12 got problem "Windows does not have enough information to verify this certificate". "You have a private key thas corresponds to this certificate". should I install server.p12 as well? Can anyone give me a hand to solve this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Error!
Somewhere organizationName = Example Inc. emailAddress = [EMAIL PROTECTED] commonName = MarsNet_CA Where should I change? --- On Wed, 6/11/08, Ivan Kalik <[EMAIL PROTECTED]> wrote: From: Ivan Kalik <[EMAIL PROTECTED]> Subject: Re: Certificate Error! To: freeradius-users@lists.freeradius.org Date: Wednesday, June 11, 2008, 11:42 PM Issuer: ..., MarNet Subject: ..., MarsNet Check certificate details. It seems that there are some typing errors there. Ivan Kalik Kalik Informatika ISP Dana 11/6/2008, "Kwok Sianbin" <[EMAIL PROTECTED]> piše: >Hi Ivan, > > > >The date shows in Client Cert as word format and dates are correct. > >Here I attach Cert details tab. > >Root certificate is fine.. both client and root certificates were generated at the same time. > >Afterward I tried to connect but connection failed. > > > > > > > > > >--- On Tue, 6/10/08, Ivan Kalik <[EMAIL PROTECTED]> wrote: >From: Ivan Kalik <[EMAIL PROTECTED]> >Subject: Re: Certificate Error! >To: "FreeRadius users mailing list" >Date: Tuesday, June 10, 2008, 4:59 PM > >What is the system date format on that XP: day/month/year or >month/day/year? Click on the certificate details tab. Are dates printed >as words or numbers? > >Ivan Kalik >Kalik Informatika ISP > > >Dana 10/6/2008, "Kwok Sianbin" <[EMAIL PROTECTED]> piše: > >>Hi Ivan, >>The dates are ok (up-to-date). >>Here I attach the certificate >> >> >> >>- Original Message >>From: Ivan Kalik <[EMAIL PROTECTED]> >>To: freeradius-users@lists.freeradius.org >>Sent: Tuesday, June 10, 2008 12:00:33 AM >>Subject: Re: Certificate Error! >> >>>and then copy ca.der, client.p12 then I install the certificate into >Windows XP. >>> >>>When click the client certificate and it shows >>> >>>"Windows doesn't have enough information to verify this >certificate" >>> >>>Server cert in Trusted Root Cert >>> >>>"This certificate has expired or is not yet valid. >>> >> >>And below there is a line Valid from ... to ... - what are the dates? >> >>Ivan Kalik >>Kalik Informatika ISP >> >>- >>List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html >> >> >> >> >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Error!
Hi, Can anyone here help me to fix the error below: I run instruction in README such make ca.pem make ca.der make server.pem make server.csr make client.pem and then copy ca.der, client.p12 then I install the certificate into Windows XP. When click the client certificate and it shows "Windows doesn't have enough information to verify this certificate" Server cert in Trusted Root Cert "This certificate has expired or is not yet valid. here the ca.cnf [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 1095 default_crl_days = 365 default_md = md5 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = 123 output_password = 123 x509_extensions = v3_ca [certificate_authority] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = [EMAIL PROTECTED] commonName = "Certificate Authority" [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true The only thing I'd changed the ca.cnf, client.cnf, server.cnf were default_days and default_crl_days. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client Certificate!
Hi Alan, As you previous email mention, I need to run the server script. Do you mean the script in the README file that come with Freeradius (/raddb/scripts). # make server.pem # make server.csr I just started to use the Linux hence I am not quite familiar with it. - Original Message From: Alan DeKok <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Saturday, May 24, 2008 2:00:22 PM Subject: Re: Re : EAP-TTLS w/MS-CHAPv2 Kwok Sianbin wrote: ... > #radtest MarsNet Mars123 localhost 0 testing123 > User-Name = "MarsNet" ... > if I change the configuration in radiusd.conf to bind to particular IP > address (eth0) then about radtest failed to Accept. Because you're sending packets to localhost? Do you know what different network interfaces are? ... > ++[eap] returns handled > Reply-Message = "Hello, MarsNet" > EAP-Message = 0x010200060d20 > Message-Authenticator = 0x > State = 0x58961ab6589417883d2fb3d577435665 > Finished request 2. > Going to the next request > Waking up in 4.9 seconds. This is in the FAQ. You are using a Microsoft client, and the server certificate doesn't have the correct OID's. Use the certificate generation scripts that come with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsof Client Certificate (OID)
Hi Alan, certificate generation scripts already executed. Is this what you meant. # make server.pem # make server.csr Kindly advice how to do it! Alan DeKok <[EMAIL PROTECTED]> wrote: Kwok Sianbin wrote: ... > #radtest MarsNet Mars123 localhost 0 testing123 > User-Name = "MarsNet" ... > if I change the configuration in radiusd.conf to bind to particular IP > address (eth0) then about radtest failed to Accept. Because you're sending packets to localhost? Do you know what different network interfaces are? ... > ++[eap] returns handled > Reply-Message = "Hello, MarsNet" > EAP-Message = 0x010200060d20 > Message-Authenticator = 0x > State = 0x58961ab6589417883d2fb3d577435665 > Finished request 2. > Going to the next request > Waking up in 4.9 seconds. This is in the FAQ. You are using a Microsoft client, and the server certificate doesn't have the correct OID's. Use the certificate generation scripts that come with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP-TTLS w/MS-CHAPv2
Hi Alan, Please help..Here I have problem that I can't figure out what went wrong! #radtest MarsNet Mars123 localhost 0 testing123 User-Name = "MarsNet" User-Password = "Mars123" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Reply-Message = "Hello, MarsNet" if I change the configuration in radiusd.conf to bind to particular IP address (eth0) then about radtest failed to Accept. My server configured with DNS / DHCP / iptable firewall (Internet) (eth1) and eth0 connect to Wifi -> D-Link client. # /usr/local/radiusd -X bash: /usr/local/radiusd: No such file or directory [EMAIL PROTECTED] saman]# /usr/local/sbin/radiusd -X FreeRADIUS Version 2.0.4, for host i686-pc-linux-gnu, built on May 15 2008 at 21 :44:23 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.0.206 { require_message_authenticator = no secret = "testing123-1" shortname = "smartbridge" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix
Client can't connect "Acquiring Network address"
4310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3127302506035504 EAP-Message = 0x03131e4d617273696e646f20436572746966696361746520417574686f72697479301e170d3038303532303034333135355a170d3039303532303034333135355a3076310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311d301b060355040313144d617273696e646f2053657276657220436572743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bca7c767561f951c18502242b005f2d0727dc1affd01c9b29918bbd3af268c095b091c EAP-Message = 0xc62304d82d388c4380d586d49eab42a7f82f4b9b86bdb1d5b0889644476f901a737c94349781c611d7d2da2ffbe8de5fa4534c28a4dffb2fbf805a6c9dff87227d8a0fab4dea651fc4223748b75d302ee960e8beda05996d8b2342b841770b030bef53297a177f431184747aa3bdc11f49750b8c603cb589c13583904a9ba6ef6560df8519d5a2dbeb7fe33c8a0ac801bb3e1f68d510b0c82312bd7fcb8d50c6286f3f7a45079625c0b4f9912cc83664227c5d418c10006a230c66172677d3bb4091370b0b871bda07bec0a82ee8f1377d3a8fadf0398f35beea0d89f70203010001a317301530130603551d25040c300a06082b06010505070301300d EAP-Message = 0x06092a864886f70d010104050003820101004fbfef54576f9aac86015d57964cc2def331a16bf997b2b983ec834fb72f42e43b335bf1ad890123b205fac6a64bc0f824f34806cab4532dc9d48c1f827fc8050d3fe13af9df766b71ba58c515eaef089cfc685c5399371f1ef8f123cee3990828942848c20c60c6ab0ef93ba786b829816f24183e53aefeeea6fd11061a320fc0fe871220ad9f403497754f7187b2fe58dbf420af6cbf62297119bf1724539671bd8015dc1cc3a7c55b69cd63a4a2c35d523463ac9f44338f049b9d3b10c330b7d2dc183a1565cba70bb125c57ffdeed44785e3f36d404a094df74380dc1133d675c9aa87a6fd41e8e79f EAP-Message = 0x93bd38749f3d952fe10c35a8 Message-Authenticator = 0x State = 0x13382f46123b22a47c694fefa3fc3d08 Finished request 1. Going to the next request Kwok Sianbin <[EMAIL PROTECTED]> wrote: Hi All, I have problem generating client certificate for Windows Xp. # make client.pem openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key ...+++ ...+++ writing new private key to 'client.key' - openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key `grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf unable to load certificate 4773:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE make: *** [client.crt] Error 1 I looked in client.cnf and I could not figure out where got wrong! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius documentation: Auth-Type
Hi, Sorry for my English. After make some changes in the client.cnf the #make client.pem can't be run. Now the # radiusd -X also got problem. . . . Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "Mars123" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server.pe m rlm_eap: Failed to initialize type tls /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap ". /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticat e section. } } Errors initializing modules Plz anyone can help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error while try to generate certificate!
Hi All, I have problem generating client certificate for Windows Xp. # make client.pem openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key ...+++ ...+++ writing new private key to 'client.key' - openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key `grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf unable to load certificate 4773:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE make: *** [client.crt] Error 1 I looked in client.cnf and I could not figure out where got wrong! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS cert
Hi, I've installed FreeRadius-2.0.4 and run fine. Here a few thing I had editted. Clients.conf client 192.168.0.0/24 { secret= testing123-1 shortname= private-network-1 } eap { default_eap_type= tls } tls { fragment_size=1024 include_lenght= yes } users MarsindNetCleartext_Password:= "hello" Reply-Message = "Hello, %{User-Name}" Now..I want to test connecting with Windows XP but I could not find root.der or cert-clt.p12 like previous version has. What files should I copy and install into Windows XP as client certificate? Thanks in advance. Alan DeKok <[EMAIL PROTECTED]> wrote: Kwok Sianbin wrote: > I am newbie to linux and recently I try to implement wireless > connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 > installed into Red Hat Enterprise 4. You should really use 2.0.4. > Here I encounter problems that I can't solve it alone hence I need > advice guru from this forum. > the problem is client just can't get connected and keep request. > ... > Sending Access-Challenge of id 15 to 192.168.0.206 port 1025 >... > Going to the next request > Waking up in 6 seconds... This is in the FAQ. It's also documented in the "eap.conf" file in 2.0.4. > Here I post the CA.certs execution result as I suppect that the errors > might be due to certificate error. > When I run ./CA.certs and I got a few errors. 2.0.4 also contains new scripts for certificate creation. They're MUCH better than what's in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error binding to port for 0.0.0.0 port 1812
Hi Alan, I've installed FreeRadius-2.0.4 and I got some error saying ERROR: Failed to open socket: /usr/local/etc/raddb/radiusd.conf[210]: Error binding to port for 0.0.0.0 port 1812 but when I check in radiusd.conf ipaddr= * # interface = eth0 How can I fix this error? I have 2 ethernet cards, eth1 = 192.168.1.10 (DNS & iptables), eth0 = 192.168.0.10 (Wifi) Here a few thing that I'd edited: (uncomment) clients.conf client 192.168.0.0/24 secret = testing123-1 shortname = private-network-1 users add MarsindNetClearText-Password:= "testing123" Reply-Message := "Hello, %{User-Name}" eap.conf eap { default_eap_type = tls } tls { . fragment_size= 1024 include_length = yes } Next step I want to test Windows XP client but I couldn't find root.der & cert-clt.p12 as previous version have. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
uninstall freeradius
Hi, Thanks for keep assisting me. Right now I want to remove the freeradius from the server and re-intall version 2.0.4. For freeradius-2.0.2 and 2.05, I use CVS command to install it as mention in my previous email. So if I want to remove it by using what command? and for freeradius-1.1.7..I installed by downloaded the file freeradius-1.1.7.tar.bz2 from freeradius.org. I want to uninstall it also! Thanks in advance! - Original Message From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Tuesday, May 13, 2008 11:58:40 PM Subject: Re: EAP-TLS can't get connected..etc. Hi, > I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested > I browse www.freeradius.org and run below command. > #cvs -d :pserver:[EMAIL PROTECTED]:/source login > CVS password: anoncvs > nothing happen and return to # 'nothing' should happen as all you've done is log into a CVS session > #cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd this will download the latest CVS version - '2.0.5' from the main site into a directory called 'radiusd' - which will be put into whereever you were when you ran the command compile problems could be due to having the latest CVS code which might have a problem in it at any time. was there a specific reason not to use eg 2.0.4.tar.bz2 download from the freeradius.org site? > I checked the version in /usr/share/doc/radius/VERSION and it shows 2.0.2 > (installed before) > Have I installed freeradius-2.0.4? not from what i've seen you type. what does eg 'radiusd -v' tell you? > If I want to uninstall or remove previous version such Freeradius-1.1.7 > ..what command I should run or just simply delete the folder in Freeradius? how did you install it? from RPM or APT etc? or from source? if from source, you will need to look in the binary and library directories for all the files it will have installed...usually /location/to/bin/rad* /location/to/lib/rlm_* /local/to/lib/radius* and then a whole load of things in /usr/share/radius etc etc (just do eg 'make -n install' to see what it puts where. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS can't get connected..etc.
Hi Everyone, I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested I browse www.freeradius.org and run below command. #cvs -d :pserver:[EMAIL PROTECTED]:/source login CVS password: anoncvs nothing happen and return to # #cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd then under #/usr/share/doc/radiusd ..run #./configure --with-openssl-includes=/usr/include/openssl --with-openssl-libraries=/usr/lib/libxm --with-prefix=/usr/local/radius # make #make install got some errors btool: install: error: cannot install "rlm_acctlog.la" to a directory not ending in /usr/local/lib/lib gmake[6]: *** [install] Error1 gmake[6]: Leaving dictory '/usr/share/doc/radiusd/src/modules/rlm_acctog' gmake[5]: *** Error 2 gmake[5]: Leaving directory '/usr/share/doc/radiusd/src/modules' gmake[4]: *** Error 2 gmake[4]: Leaving directory '/usr/share/doc/radiusd/src/modules' gmake[3]: *** Error 2 gmake[3]: Leaving directory '/usr/share/doc/radiusd/src' gmake[2]: *** Error 2 gmake[2]: Leaving directory '/usr/share/doc/radiusd/src' gmake[1]: *** Error 2 gmake[1]: Leaving directory '/usr/share/doc/radiusd' make: *** [install] Error 2 I checked the version in /usr/share/doc/radius/VERSION and it shows 2.0.2 (installed before) Have I installed freeradius-2.0.4? where it's located? If I want to uninstall or remove previous version such Freeradius-1.1.7 ..what command I should run or just simply delete the folder in Freeradius? thanks in advance. - Original Message From: Alan DeKok <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Friday, May 9, 2008 7:50:34 PM Subject: Re: EAP-TLS can't get connected..etc. Kwok Sianbin wrote: > I am newbie to linux and recently I try to implement wireless > connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 > installed into Red Hat Enterprise 4. You should really use 2.0.4. > Here I encounter problems that I can't solve it alone hence I need > advice guru from this forum. > the problem is client just can't get connected and keep request. > ... > Sending Access-Challenge of id 15 to 192.168.0.206 port 1025 >... > Going to the next request > Waking up in 6 seconds... This is in the FAQ. It's also documented in the "eap.conf" file in 2.0.4. > Here I post the CA.certs execution result as I suppect that the errors > might be due to certificate error. > When I run ./CA.certs and I got a few errors. 2.0.4 also contains new scripts for certificate creation. They're MUCH better than what's in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS can't get connected..etc.
Hi Everyone, I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4. Here I encounter problems that I can't solve it alone hence I need advice guru from this forum. the problem is client just can't get connected and keep request. >/usr/src/sbin/radiusd -XA Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: prepr