Re: EAP-TLS multi clients
Matteo Lazzarini wrote: K. Hoercher wrote: On 8/29/06, Lazzarini Matteo [EMAIL PROTECTED] wrote: First of all I excuseme for my English. :-( Ah no problem, after it got sorted out. itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. Grats. So it was just my pessimism to suppose there are still issues. The CA.all script generates me only 1 server, 1 client and 1 root Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have need of certs for 3 clients, for some tests on freeradius with a sniffer that it capture the input . Therefore I want certs of test the type which already use, generated with the CA.all script. How I can make 3 certs for distinct for the clients? Is it possible to modify CA.all in order to create certs for 1 root, 1 serveur and 3 or more client certs for EAP-TLS (xpextension incuded)? Someone knows gives me of the information also on the guides who can help me? Thousand thanks for all Matteo ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Someone knows to give to me of info/help? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap-Tls Problem
K. Hoercher wrote: Hi, so Matteo is trying to setup wireless 8021x auth with freeradius. Eventually most of the information happened to end in -devel, where I asked him to stop mailing to, because I'm quite convinced that his problems don't belong there. That said, dpkg -s freeradius openssl should give you the information you are seeking, which looks quite irrelevant to the problem at hand. In short, after the information you gave, I strongly suspect the XP supplicant not responding to Challenges due to still improper OID's in your certs. Please make double sure your windows cert store or however it is called contains the rootCA and your certificate properly, and those get into consideration when you test your wireless setup. Exporting them from cert store and attaching them (provided they are for test purposes and don't contain real crypto secrets) would be my suggestion. Something along this line should apply to your /etc/X1/jagger.pem. ah and yes, just the default users file would suffice. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I do not succeed to find one solution to my problem. I have verified exporting the certs stored in the client. It's the same of original. how I can make to generate certs that sure they go well for my case? I must install of the appropriate libraries? The XP supplicant could give of the problems… (SP2) Would have to use of one various? some ideas/helps Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap-Tls Problem
Freeradius I have installed last version available (1.1.2 that it seems to work!) but I know that there is also an August version SNAPSHOT but to me it has given problems in compile and did not install me module EAP-TLS (bug Debian). The lib I have installed to them with the command apt-get install openssl libssl-dev and this is the command dphg - l|grep SSL ii libflac++5c2 1.1.2-1ubuntu2 Free Lossless Audio Codec - C++ runtime libr ii libflac7 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii liboggflac3 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii libssl-dev 0.9.7g-1ubuntu1.1SSL development libraries, header files and ii libssl0.9.7 0.9.7g-1ubuntu1.1SSL shared libraries ii libwww-ssl0 5.4.0-9ubuntu0.5.10 The W3C-WWW library (SSL support) ii openssl 0.9.7g-1ubuntu1.1Secure Socket Layer (SSL) binary and related ii python-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library (d ii python2.4-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library, e ii ssl-cert 1.0-11 Simple debconf wrapper for openssl On the Openssl site many versions can be downloaded which 0.9.7a-x, 0.9.8a-x, ecc.. Which the correct version? Someone knows gives to me of the information to care of coupled freeradius-versionOpenssl-version? anticipated thanks Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap-Tls Problem
K. Hoercher wrote: Hi, so Matteo is trying to setup wireless 8021x auth with freeradius. Eventually most of the information happened to end in -devel, where I asked him to stop mailing to, because I'm quite convinced that his problems don't belong there. That said, dpkg -s freeradius openssl should give you the information you are seeking, which looks quite irrelevant to the problem at hand. In short, after the information you gave, I strongly suspect the XP supplicant not responding to Challenges due to still improper OID's in your certs. Please make double sure your windows cert store or however it is called contains the rootCA and your certificate properly, and those get into consideration when you test your wireless setup. Exporting them from cert store and attaching them (provided they are for test purposes and don't contain real crypto secrets) would be my suggestion. Something along this line should apply to your /etc/X1/jagger.pem. ah and yes, just the default users file would suffice. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have not understood yours suggestion. But as I can be sure that the certs they are corrected for TLS? Excuse me but it is from little that use freeradius. If I use the CA.all script that I find in the scripts directory I obtain the same type of certs that use now! Which thing is the cause of this problem? I do not want to leave to lose! Tomorrow I make the tests also with Peap and see with sniffer that what out from the client when I'm asking my access-request... Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap-Tls Problem
Hello I'm a new user, and i'm trying to set an Eap-Tls authentication using freeradius 1.1.2. My system is debian stable. I installed freeradius 1.1.2 (./confidure, make ,make install) and libssl-dev (apt-get install libssl-dev) like here: http://web.archive.org/web/20031206113912/http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#3 http://www.alphacore.net/spip/article.php3?id_article=33 When I turn on freeradius I can see this: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = yes main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/1x/jagger.pem tls: certificate_file = /etc/1x/jagger.pem tls: CA_file = /etc/1x/root.pem tls: private_key_password = whatever tls: dh_file = /etc/1x/dh tls: random_file = /etc/1x/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) detail: detailfile =
Segmentation Fault
help me please The cause could be my AP D-Link DWL-900AP+? In the several one tried to you once they are connected to me A single time is successful to connect to me The demands from client Win XP leave corrected with certify to you previously install to you in the client Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf main: prefix = /usr/local/radius main: localstatedir = /usr/local/radius/var main: logdir = /usr/local/radius/var/log/radius main: libdir = /usr/local/radius/lib main: radacctdir = /usr/local/radius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/radius/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/radius/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/radius/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/radius/etc/1x/cert-srv.pem tls: certificate_file = /usr/local/radius/etc/1x/cert-srv.pem tls: CA_file = /usr/local/radius/etc/1x/root.pem tls: private_key_password = whatever tls: dh_file = /usr/local/radius/etc/1x/dh tls: random_file = /usr/local/radius/etc/1x/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded detail detail: detailfile = /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/radius/etc/raddb/users files: acctusersfile = /usr/local/radius/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/radius/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded preprocess preprocess: huntgroups = /usr/local/radius/etc/raddb/huntgroups preprocess: hints = /usr/local/radius/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) detail: detailfile = /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.5:1206, id=19, length=133 User-Name = matteo NAS-IP-Address = 0.0.0.0 NAS-Port = 0 Called-Station-Id = 00-40-05-30-C5-86 Calling-Station-Id = 00-12-F0-64-6D-8A NAS-Identifier = DWL-900AP+ Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d617474656f Message-Authenticator = 0x967f88da472270a5df15034140e2040c Processing the authorize section
FreeRadius
Hello, for my net I would want to use freeradius in order to authenticate host windows XP and Linux. First of all which Access Point good ecomomico but is found in Italy? (I live to Bergamo.) Thanks Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html