Re: EAP-TLS multi clients
Matteo Lazzarini wrote: K. Hoercher wrote: On 8/29/06, Lazzarini Matteo [EMAIL PROTECTED] wrote: First of all I excuseme for my English. :-( Ah no problem, after it got sorted out. itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. Grats. So it was just my pessimism to suppose there are still issues. The CA.all script generates me only 1 server, 1 client and 1 root Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have need of certs for 3 clients, for some tests on freeradius with a sniffer that it capture the input . Therefore I want certs of test the type which already use, generated with the CA.all script. How I can make 3 certs for distinct for the clients? Is it possible to modify CA.all in order to create certs for 1 root, 1 serveur and 3 or more client certs for EAP-TLS (xpextension incuded)? Someone knows gives me of the information also on the guides who can help me? Thousand thanks for all Matteo ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Someone knows to give to me of info/help? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap-Tls Problem
K. Hoercher wrote: Hi, so Matteo is trying to setup wireless 8021x auth with freeradius. Eventually most of the information happened to end in -devel, where I asked him to stop mailing to, because I'm quite convinced that his problems don't belong there. That said, dpkg -s freeradius openssl should give you the information you are seeking, which looks quite irrelevant to the problem at hand. In short, after the information you gave, I strongly suspect the XP supplicant not responding to Challenges due to still improper OID's in your certs. Please make double sure your windows cert store or however it is called contains the rootCA and your certificate properly, and those get into consideration when you test your wireless setup. Exporting them from cert store and attaching them (provided they are for test purposes and don't contain real crypto secrets) would be my suggestion. Something along this line should apply to your /etc/X1/jagger.pem. ah and yes, just the default users file would suffice. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I do not succeed to find one solution to my problem. I have verified exporting the certs stored in the client. It's the same of original. how I can make to generate certs that sure they go well for my case? I must install of the appropriate libraries? The XP supplicant could give of the problems… (SP2) Would have to use of one various? some ideas/helps Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap-Tls Problem
Freeradius I have installed last version available (1.1.2 that it seems to work!) but I know that there is also an August version SNAPSHOT but to me it has given problems in compile and did not install me module EAP-TLS (bug Debian). The lib I have installed to them with the command apt-get install openssl libssl-dev and this is the command dphg - l|grep SSL ii libflac++5c2 1.1.2-1ubuntu2 Free Lossless Audio Codec - C++ runtime libr ii libflac7 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii liboggflac3 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii libssl-dev 0.9.7g-1ubuntu1.1SSL development libraries, header files and ii libssl0.9.7 0.9.7g-1ubuntu1.1SSL shared libraries ii libwww-ssl0 5.4.0-9ubuntu0.5.10 The W3C-WWW library (SSL support) ii openssl 0.9.7g-1ubuntu1.1Secure Socket Layer (SSL) binary and related ii python-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library (d ii python2.4-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library, e ii ssl-cert 1.0-11 Simple debconf wrapper for openssl On the Openssl site many versions can be downloaded which 0.9.7a-x, 0.9.8a-x, ecc.. Which the correct version? Someone knows gives to me of the information to care of coupled freeradius-versionOpenssl-version? anticipated thanks Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap-Tls Problem
K. Hoercher wrote: Hi, so Matteo is trying to setup wireless 8021x auth with freeradius. Eventually most of the information happened to end in -devel, where I asked him to stop mailing to, because I'm quite convinced that his problems don't belong there. That said, dpkg -s freeradius openssl should give you the information you are seeking, which looks quite irrelevant to the problem at hand. In short, after the information you gave, I strongly suspect the XP supplicant not responding to Challenges due to still improper OID's in your certs. Please make double sure your windows cert store or however it is called contains the rootCA and your certificate properly, and those get into consideration when you test your wireless setup. Exporting them from cert store and attaching them (provided they are for test purposes and don't contain real crypto secrets) would be my suggestion. Something along this line should apply to your /etc/X1/jagger.pem. ah and yes, just the default users file would suffice. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have not understood yours suggestion. But as I can be sure that the certs they are corrected for TLS? Excuse me but it is from little that use freeradius. If I use the CA.all script that I find in the scripts directory I obtain the same type of certs that use now! Which thing is the cause of this problem? I do not want to leave to lose! Tomorrow I make the tests also with Peap and see with sniffer that what out from the client when I'm asking my access-request... Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap-Tls Problem
Hello I'm a new user, and i'm trying to set an Eap-Tls authentication
using freeradius 1.1.2.
My system is debian stable.
I installed freeradius 1.1.2 (./confidure, make ,make install) and
libssl-dev (apt-get install libssl-dev) like here:
http://web.archive.org/web/20031206113912/http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#3
http://www.alphacore.net/spip/article.php3?id_article=33
When I turn on freeradius I can see this:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = yes
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/1x/jagger.pem
tls: certificate_file = /etc/1x/jagger.pem
tls: CA_file = /etc/1x/root.pem
tls: private_key_password = whatever
tls: dh_file = /etc/1x/dh
tls: random_file = /etc/1x/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
detail: detailfile =
Segmentation Fault
help me please
The cause could be my AP D-Link DWL-900AP+?
In the several one tried to you once they are connected to me
A single time is successful to connect to me
The demands from client Win XP leave corrected with certify to you
previously install to you in the client
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
main: prefix = /usr/local/radius
main: localstatedir = /usr/local/radius/var
main: logdir = /usr/local/radius/var/log/radius
main: libdir = /usr/local/radius/lib
main: radacctdir = /usr/local/radius/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/radius/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/radius/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/radius/sbin/checkrad
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/radius/etc/1x/cert-srv.pem
tls: certificate_file = /usr/local/radius/etc/1x/cert-srv.pem
tls: CA_file = /usr/local/radius/etc/1x/root.pem
tls: private_key_password = whatever
tls: dh_file = /usr/local/radius/etc/1x/dh
tls: random_file = /usr/local/radius/etc/1x/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded detail
detail: detailfile =
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/radius/etc/raddb/users
files: acctusersfile = /usr/local/radius/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/radius/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/radius/etc/raddb/huntgroups
preprocess: hints = /usr/local/radius/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.5:1206, id=19,
length=133
User-Name = matteo
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = 00-40-05-30-C5-86
Calling-Station-Id = 00-12-F0-64-6D-8A
NAS-Identifier = DWL-900AP+
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000b016d617474656f
Message-Authenticator = 0x967f88da472270a5df15034140e2040c
Processing the authorize section
FreeRadius
Hello, for my net I would want to use freeradius in order to authenticate host windows XP and Linux. First of all which Access Point good ecomomico but is found in Italy? (I live to Bergamo.) Thanks Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
