Re: EAP-TLS multi clients
Matteo Lazzarini wrote: K. Hoercher wrote: On 8/29/06, Lazzarini Matteo <[EMAIL PROTECTED]> wrote: First of all I excuseme for my English. :-( Ah no problem, after it got sorted out. itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. Grats. So it was just my pessimism to suppose there are still issues. The CA.all script generates me only 1 server, 1 client and 1 root Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have need of certs for 3 clients, for some tests on freeradius with a sniffer that it capture the input . Therefore I want certs of test the type which already use, generated with the CA.all script. How I can make 3 certs for distinct for the clients? Is it possible to modify CA.all in order to create certs for 1 root, 1 serveur and 3 or more client certs for EAP-TLS (xpextension incuded)? Someone knows gives me of the information also on the guides who can help me? Thousand thanks for all Matteo ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Someone knows to give to me of info/help? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS multi clients
K. Hoercher wrote: On 8/29/06, Lazzarini Matteo <[EMAIL PROTECTED]> wrote: First of all I excuseme for my English. :-( Ah no problem, after it got sorted out. itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. Grats. So it was just my pessimism to suppose there are still issues. The CA.all script generates me only 1 server, 1 client and 1 root Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have need of certs for 3 clients, for some tests on freeradius with a sniffer that it capture the input . Therefore I want certs of test the type which already use, generated with the CA.all script. How I can make 3 certs for distinct for the clients? Is it possible to modify CA.all in order to create certs for 1 root, 1 serveur and 3 or more client certs for EAP-TLS (xpextension incuded)? Someone knows gives me of the information also on the guides who can help me? Thousand thanks for all Matteo ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap-Tls Problem
K. Hoercher wrote: Hi, so Matteo is trying to setup wireless 8021x auth with freeradius. Eventually most of the information happened to end in -devel, where I asked him to stop mailing to, because I'm quite convinced that his problems don't belong there. That said, "dpkg -s freeradius openssl" should give you the information you are seeking, which looks quite irrelevant to the problem at hand. In short, after the information you gave, I strongly suspect the XP supplicant not responding to Challenges due to still improper OID's in your certs. Please make double sure your windows cert store or however it is called contains the rootCA and your certificate properly, and those get into consideration when you test your wireless setup. Exporting them from cert store and attaching them (provided they are for test purposes and don't contain real crypto secrets) would be my suggestion. Something along this line should apply to your /etc/X1/jagger.pem. ah and yes, just the default users file would suffice. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I do not succeed to find one solution to my problem. I have verified exporting the certs stored in the client. It's the same of original. how I can make to generate certs that sure they go well for my case? I must install of the appropriate libraries? The XP supplicant could give of the problems… (SP2) Would have to use of one various? some ideas/helps Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eap-Tls Problem
K. Hoercher wrote: Hi, so Matteo is trying to setup wireless 8021x auth with freeradius. Eventually most of the information happened to end in -devel, where I asked him to stop mailing to, because I'm quite convinced that his problems don't belong there. That said, "dpkg -s freeradius openssl" should give you the information you are seeking, which looks quite irrelevant to the problem at hand. In short, after the information you gave, I strongly suspect the XP supplicant not responding to Challenges due to still improper OID's in your certs. Please make double sure your windows cert store or however it is called contains the rootCA and your certificate properly, and those get into consideration when you test your wireless setup. Exporting them from cert store and attaching them (provided they are for test purposes and don't contain real crypto secrets) would be my suggestion. Something along this line should apply to your /etc/X1/jagger.pem. ah and yes, just the default users file would suffice. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have not understood yours suggestion. But as I can be sure that the certs they are corrected for TLS? Excuse me but it is from little that use freeradius. If I use the CA.all script that I find in the scripts directory I obtain the same type of certs that use now! Which thing is the cause of this problem? I do not want to leave to lose! Tomorrow I make the tests also with Peap and see with sniffer that what out from the client when I'm asking my access-request... Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap-Tls Problem
Freeradius I have installed last version available (1.1.2 that it seems to work!) but I know that there is also an August version SNAPSHOT but to me it has given problems in compile and did not install me module EAP-TLS (bug Debian). The lib I have installed to them with the command apt-get install openssl libssl-dev and this is the command dphg - l|grep SSL ii libflac++5c2 1.1.2-1ubuntu2 Free Lossless Audio Codec - C++ runtime libr ii libflac7 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii liboggflac3 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii libssl-dev 0.9.7g-1ubuntu1.1SSL development libraries, header files and ii libssl0.9.7 0.9.7g-1ubuntu1.1SSL shared libraries ii libwww-ssl0 5.4.0-9ubuntu0.5.10 The W3C-WWW library (SSL support) ii openssl 0.9.7g-1ubuntu1.1Secure Socket Layer (SSL) binary and related ii python-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library (d ii python2.4-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library, e ii ssl-cert 1.0-11 Simple debconf wrapper for openssl On the Openssl site many versions can be downloaded which 0.9.7a-x, 0.9.8a-x, ecc.. Which the correct version? Someone knows gives to me of the information to care of coupled freeradius-version&Openssl-version? anticipated thanks Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eap-Tls Problem
Hello I'm a new user, and i'm trying to set an Eap-Tls authentication using freeradius 1.1.2. My system is debian stable. I installed freeradius 1.1.2 (./confidure, make ,make install) and libssl-dev (apt-get install libssl-dev) like here: http://web.archive.org/web/20031206113912/http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#3 http://www.alphacore.net/spip/article.php3?id_article=33 When I turn on freeradius I can see this: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = yes main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/jagger.pem" tls: certificate_file = "/etc/1x/jagger.pem" tls: CA_file = "/etc/1x/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/1x/dh" tls: random_file = "/etc/1x/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default
Segmentation Fault
help me please The cause could be my AP D-Link DWL-900AP+? In the several one tried to you once they are connected to me A single time is successful to connect to me The demands from client Win XP leave corrected with certify to you previously install to you in the client Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/radius/etc/1x/cert-srv.pem" tls: certificate_file = "/usr/local/radius/etc/1x/cert-srv.pem" tls: CA_file = "/usr/local/radius/etc/1x/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/radius/etc/1x/dh" tls: random_file = "/usr/local/radius/etc/1x/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded detail detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/radius/etc/raddb/users" files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.5:1206, id=19, length=133 User-Name = "matteo" NAS-IP-Address = 0.0.0.0 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-12-F0-64-6D-8A" NAS-Identifier = "DWL-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d617474656f Message-A
FreeRadius
Hello, for my net I would want to use freeradius in order to authenticate host windows XP and Linux. First of all which Access Point good ecomomico but is found in Italy? (I live to Bergamo.) Thanks Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html