Re: EAP-TTLS - FreeRadius - Ldap - Edirectory -Enterasys - 802.1x

2005-03-10 Thread TAYLAN KIRAN 
Thank you for your response. 
We test EAP-TTLS with enterasys swithes with supplicant odyssey client
and FUNK steelbelted radius server. it works. So the Enterasys switches
support EAP-TTLS.

But we cant buy odyssey at this point. so we had to enable EAP-TTLS on
windows XP client with securew2
But securew2 didnt work with FUNK steel-belted radius server(I am not
sure).

I found that securew2 works with freeradius. that is what we are trying
to do.
ldap server on edirectory only support PAP. That is why we have to use
EAP-TTLS รข PAP .

NOT: I can not do EAP-MD5 authentication also with Freeradius server.
Thanks,

Taylan



>>> [EMAIL PROTECTED] 3/10/2005 2:36:53 AM >>>
TAYLAN KIRAN wrote:

> We are  trying to auhtenticate our XP users with EAP-TTLS. we
enabled
>EAP-TTLS support with securew2
>product. our users are on Edirectory via ldap. We have enterasys
>switches. 
>when switches authenticate users they  should receive the following
>string to set port policy.
>Filter-Id = "Enterasys:version=1:mgmt=su:Policy=cit"
>
>this string is stored in Filter-Id field on edirectory. when user
>authenticate ldap servers should return 
>value of this field and freeradius server should send this string to
>switch.
>
>what should we do. I search all mail list but I cant find any
>information that is valuable for us.
>At this point I have two question. How can we return the required
field
>from Edirectory by using ldap.
>second one is about certificate.
>  
>
 From what I know Enterasys supports EAP-MD5 only on their switches. I

have it working with OpenLDAP and by adding following radiusFilterId 
attribute ie.

radiusFilterId: "Enterasys:version=1:policy=Enterprise User"

In ldap.attrmap you need to have something like Filter-Id   
radiusFilterId

I wrote a HOWTO how I did it.

http://vuksan.com/linux/dot1x/802-1x-LDAP.html 

Vladimir

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS - FreeRadius - Ldap - Edirectory -Enterasys - 802.1x

2005-03-09 Thread Vladimir Vuksan 
TAYLAN KIRAN wrote:
We are  trying to auhtenticate our XP users with EAP-TTLS. we enabled
EAP-TTLS support with securew2
product. our users are on Edirectory via ldap. We have enterasys
switches. 
when switches authenticate users they  should receive the following
string to set port policy.
Filter-Id = "Enterasys:version=1:mgmt=su:Policy=cit"

this string is stored in Filter-Id field on edirectory. when user
authenticate ldap servers should return 
value of this field and freeradius server should send this string to
switch.

what should we do. I search all mail list but I cant find any
information that is valuable for us.
At this point I have two question. How can we return the required field
from Edirectory by using ldap.
second one is about certificate.
 

From what I know Enterasys supports EAP-MD5 only on their switches. I 
have it working with OpenLDAP and by adding following radiusFilterId 
attribute ie.

radiusFilterId: "Enterasys:version=1:policy=Enterprise User"
In ldap.attrmap you need to have something like Filter-IdradiusFilterId
I wrote a HOWTO how I did it.
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
Vladimir
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS - FreeRadius - Ldap - Edirectory -Enterasys - 802.1x

2005-03-09 Thread TAYLAN KIRAN 
Hi,

 We are  trying to auhtenticate our XP users with EAP-TTLS. we enabled
EAP-TTLS support with securew2
product. our users are on Edirectory via ldap. We have enterasys
switches. 
when switches authenticate users they  should receive the following
string to set port policy.
Filter-Id = "Enterasys:version=1:mgmt=su:Policy=cit"

this string is stored in Filter-Id field on edirectory. when user
authenticate ldap servers should return 
value of this field and freeradius server should send this string to
switch.

what should we do. I search all mail list but I cant find any
information that is valuable for us.
At this point I have two question. How can we return the required field
from Edirectory by using ldap.
second one is about certificate.

I know I should create certificate. but CA.all does not work
correctly.

I take the following error when I execute CA.all .

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [123456]:
An optional company name []:
Using configuration from /usr/share/ssl/openssl.cnf
Error opening CA private key ./radius/private/cakey.pem
1589:error:02001002:system library:fopen:No such file or
directory:bss_file.c:259:fopen('./radius/private/cakey.pem','r')
1589:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
unable to load CA private key
Error opening input file newcert.pem
newcert.pem: No such file or directory
Error opening input file cert-srv.p12
cert-srv.p12: No such file or directory
Error opening Certificate cert-srv.pem
1592:error:02001002:system library:fopen:No such file or
directory:bss_file.c:259:fopen('cert-srv.pem','r')
1592:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
unable to load certificate



Regards,

Taylan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html