Re: OpenCA Freeradius and EAP_TLS

[Michael Schwartzkopff]

Am Montag, 23. Mai 2005 10:54 schrieb [EMAIL PROTECTED]:
 Hi,

 i am a newbie at freeradius.

 I have a working installtion of freeradius.
 After i have created  certs using the CA.all script i can start radius.
 My Microsoft Wlan client can authenticate on the radius.
 All works fine.

 But now i will use Certs from my OpenCa installation to authenticate wlan
 clients. My OpenCA installtion works fine to.
 But when i use this certificates i cant start radius. radius_start -A -X
 shows folloing output
(...)

Hi,

be careful with certificates. Freeradius does not like all kind of formats. 
Perhaps you have to install the CA and server certificate separately. I 
cannot remember 100% but I had similar problems.

Another problem is that windows client do want to have a special OID (usage) 
coded into the client certificate. Read the documentation carefully.

I had very good experience with tinyCA.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42


pgpeYpOP50oHW.pgp
Description: PGP signature

Re: Re: OpenCA Freeradius and EAP_TLS

[timtom]

 Am Montag, 23. Mai 2005 10:54 schrieb [EMAIL PROTECTED]:
  Hi,
 
  i am a newbie at freeradius.
 
  I have a working installtion of freeradius.
  After i have created  certs using the CA.all script i can start radius.
  My Microsoft Wlan client can authenticate on the radius.
  All works fine.
 
  But now i will use Certs from my OpenCa installation to authenticate wlan
  clients. My OpenCA installtion works fine to.
  But when i use this certificates i cant start radius. radius_start -A -X
  shows folloing output
 (...)
 
 Hi,
 
 be careful with certificates. Freeradius does not like all kind of formats. 
 Perhaps you have to install the CA and server certificate separately. I 
 cannot remember 100% but I had similar problems.
 
 Another problem is that windows client do want to have a special OID (usage) 
 coded into the client certificate. Read the documentation carefully.
 
 I had very good experience with tinyCA.

Thanks Michael

Sadly i have to use OpenCA ;-)

The Problems according Microsoft are near to me. But i dont have more ideas 
what i can change, to start my freeradius server. 

 -- 
 Dr. Michael Schwartzkopff
 MultiNET Services GmbH
 Bretonischer Ring 7
 85630 Grasbrunn
 
 Tel: (+49 89) 456 911 - 0
 Fax: (+49 89) 456 911 - 21
 mob: (+49 174) 343 28 75
 
 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
 Skype: misch42
 

www.mails.at - Der kostenlose E-Mail Anbieter

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenCA Freeradius and EAP_TLS

[Michael Griego]

Are you sure your key and certificate files are PEM encoded?  Based on 
the errors, it looks like they might be DER encoded.


--Mike


Tom Tim wrote:


Hi,

i am a newbie at freeradius.

I have a working installtion of freeradius. 
After i have created  certs using the CA.all script i can start radius.

My Microsoft Wlan client can authenticate on the radius.
All works fine.

But now i will use Certs from my OpenCa installation to authenticate wlan 
clients.
My OpenCA installtion works fine to.
But when i use this certificates i cant start radius. radius_start -A -X shows 
folloing output



Module: Loaded eap
eap: default_eap_type = \md5\
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = \Password: \
gtc: auth_type = \PAP\
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = \(null)\
tls: pem_file_type = yes
tls: private_key_file = \/usr/local/etc/raddb/sh/cert-srv.pem\
tls: certificate_file = \/usr/local/etc/raddb/sh/cert-srv.pem\
tls: CA_file = \/usr/local/etc/raddb/sh/root.pem\
tls: private_key_password = \testtesttest\
tls: dh_file = \/usr/local/etc/raddb/certs/dh\
tls: random_file = \/usr/local/etc/raddb/certs/random\
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = \(null)\
10941:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:637:Expecting: CERTIFICATE
10941:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe 
algorithm:evp_pbe.c:89:TYPE=pbeWithMD5AndDES-CBC
10941:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit 
error:p12_decr.c:83:
10941:error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt 
error:p12_decr.c:122:
10941:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_pkey.c:122:
10941:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM 
lib:ssl_rsa.c:709:
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.

***


Here you can see the working cert

Bag Attributes
  localKeyID: 0C BA ED 0A 7B E9 67 CD E7 0A 08 39 DB 9D 99 34 0A C6 2B A4 
subject=/C=CA/ST=Province/L=Some City/O=Organization/OU=localhost/CN=Root certificate/[EMAIL PROTECTED]

issuer=/C=CA/ST=Province/L=Some City/O=Organization/OU=localhost/CN=Client 
certificate/[EMAIL PROTECTED]
-BEGIN CERTIFICATE-
MIICyTCCAjKgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCQ0Ex
ETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQHEwlTb21lIENpdHkxFTATBgNVBAoT
DE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9jYWxob3N0MRswGQYDVQQDExJDbGll
bnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNv
bTAeFw0wNDAxMjUxMzI2MTBaFw0wNTAxMjQxMzI2MTBaMIGbMQswCQYDVQQGEwJD
QTERMA8GA1UECBMIUHJvdmluY2UxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UE
ChMMT3JnYW5pemF0aW9uMRIwEAYDVQQLEwlsb2NhbGhvc3QxGTAXBgNVBAMTEFJv
b3QgY2VydGlmaWNhdGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAZXhhbXBsZS5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANrFJUIr/tsIJimiy6RLNEnJDQq0
YvtyyENKeCCYhj1+t9fnACjCt61VWlHMdWz0+h1wkWFatFDVKJVTrmYWr/AUpVCF
1rj7Su6YY45CYXXN02xmXGPNoXfTSSDrMFhe3IdzmZwpgPga1GOLu+ocgtBUAj23
7ySj7Bw/YkGpA9fzAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG
SIb3DQEBBAUAA4GBAHotkhsc8TvymCqReOye3m2I7cF4oui9QKCgb7bwdplXiEzX
CEU3CDSW/RhBZSk/WDyOgkDraOBCyUsVdS5MB+gNCXea+j3VXCT6VKwpLXcgXRwk
d+0w1Z9Xyvm9If8qjRbMCRHFDk8pV2P8tg76PD0tDkOFD25vvihJAvboNQNl
-END CERTIFICATE-
Bag Attributes
   localKeyID: 0C BA ED 0A 7B E9 67 CD E7 0A 08 39 DB 9D 99 34 0A C6 2B A4 
Key Attributes: No Attributes

-BEGIN RSA PRIVATE KEY-
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,45A3F7FFC07A6C8D

h2Hg0jIRPlwoC0CyYxdPB/+paKyJsW5RGYH4ZG0cooZUdzcc36E68MxN6rXxw8Qr
M14ZKr3VBgbpQD3k6SdvIYxeBK1O7V4A1NCaPl9qS4tQpHuCkwjelb+PouOC4C+5
dspfsKri9jMrX1pmzf1vWq7DSRgSisBzcdXkp2AkkLmpAtwhD+JD4gPNVoHUP0r3
TeM6/A8twoyi73off1pUKVTE1rFzuAl0mG5+VnLy6uHUemkpVr3nZMuVQoSp7zer
gaZvYJ5/yfjJdFMiyW0d9ZotHJ9/yfQzUwS/1M/ufrjr2cfQTn5VeOOvW+6hKqmV
sO0sXLPINnLleTr3bvJX6WrIMtl6I8RqzFmbn/uY1wEpVKugymdauqwmNvNCBQ+u
W0kNlQZffmE5YcH9QKKynrTB8QXa/RUhFKmqcK9ZdzI9t8cVrIGl1bogFZ72SDd8
/Cw8fUWh+UMoRwrrOI/g/ZYKeq6UbUVTzEs7RNuPJ1LqiT+RG6HNzUfIsvo+8tTL
nw8bpKa2uG2pGyzGNT9R3iT29xqwrZNond4mWh+xlzSqhmznaentexQGPqJJ4tAx
dd+jt0zCDMPH7UjWcAcobEaZQzZ4JMGURctQUnbFt1YynFUtiD8Rxvw30Yi1xrw7
qNnFdCskuqOPxzqvM/wJG2A04+qvYegA2aO/4CGLTiDE2EPQ4OgRYCf0frSLTDQa
eUMfqVPBhiB8h82YI1Q41GwEP7Fuo+E5LLCTNEYREgb/kxfRwxECrtIzp2q27Qwr
Mglxw0layFcCNePypRz4Nuwhl1o1kXICp6dtHb2TTeuEorKdOG6PeA==
-END RSA PRIVATE KEY-
**+

And here the OpenCA cert not working
***
-BEGIN CERTIFICATE-

Re: OpenCA Freeradius and EAP_TLS

[Michael Griego]

Whoops.  Didn't read the whole message before sending that last one.

--Mike


Tom Tim wrote:


Hi,

i am a newbie at freeradius.

I have a working installtion of freeradius. 
After i have created  certs using the CA.all script i can start radius.

My Microsoft Wlan client can authenticate on the radius.
All works fine.

But now i will use Certs from my OpenCa installation to authenticate wlan 
clients.
My OpenCA installtion works fine to.
But when i use this certificates i cant start radius. radius_start -A -X shows 
folloing output



Module: Loaded eap
eap: default_eap_type = \md5\
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = \Password: \
gtc: auth_type = \PAP\
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = \(null)\
tls: pem_file_type = yes
tls: private_key_file = \/usr/local/etc/raddb/sh/cert-srv.pem\
tls: certificate_file = \/usr/local/etc/raddb/sh/cert-srv.pem\
tls: CA_file = \/usr/local/etc/raddb/sh/root.pem\
tls: private_key_password = \testtesttest\
tls: dh_file = \/usr/local/etc/raddb/certs/dh\
tls: random_file = \/usr/local/etc/raddb/certs/random\
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = \(null)\
10941:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:637:Expecting: CERTIFICATE
10941:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe 
algorithm:evp_pbe.c:89:TYPE=pbeWithMD5AndDES-CBC
10941:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit 
error:p12_decr.c:83:
10941:error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt 
error:p12_decr.c:122:
10941:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_pkey.c:122:
10941:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM 
lib:ssl_rsa.c:709:
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.

***


Here you can see the working cert

Bag Attributes
  localKeyID: 0C BA ED 0A 7B E9 67 CD E7 0A 08 39 DB 9D 99 34 0A C6 2B A4 
subject=/C=CA/ST=Province/L=Some City/O=Organization/OU=localhost/CN=Root certificate/[EMAIL PROTECTED]

issuer=/C=CA/ST=Province/L=Some City/O=Organization/OU=localhost/CN=Client 
certificate/[EMAIL PROTECTED]
-BEGIN CERTIFICATE-
MIICyTCCAjKgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCQ0Ex
ETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQHEwlTb21lIENpdHkxFTATBgNVBAoT
DE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9jYWxob3N0MRswGQYDVQQDExJDbGll
bnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNv
bTAeFw0wNDAxMjUxMzI2MTBaFw0wNTAxMjQxMzI2MTBaMIGbMQswCQYDVQQGEwJD
QTERMA8GA1UECBMIUHJvdmluY2UxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UE
ChMMT3JnYW5pemF0aW9uMRIwEAYDVQQLEwlsb2NhbGhvc3QxGTAXBgNVBAMTEFJv
b3QgY2VydGlmaWNhdGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAZXhhbXBsZS5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANrFJUIr/tsIJimiy6RLNEnJDQq0
YvtyyENKeCCYhj1+t9fnACjCt61VWlHMdWz0+h1wkWFatFDVKJVTrmYWr/AUpVCF
1rj7Su6YY45CYXXN02xmXGPNoXfTSSDrMFhe3IdzmZwpgPga1GOLu+ocgtBUAj23
7ySj7Bw/YkGpA9fzAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG
SIb3DQEBBAUAA4GBAHotkhsc8TvymCqReOye3m2I7cF4oui9QKCgb7bwdplXiEzX
CEU3CDSW/RhBZSk/WDyOgkDraOBCyUsVdS5MB+gNCXea+j3VXCT6VKwpLXcgXRwk
d+0w1Z9Xyvm9If8qjRbMCRHFDk8pV2P8tg76PD0tDkOFD25vvihJAvboNQNl
-END CERTIFICATE-
Bag Attributes
   localKeyID: 0C BA ED 0A 7B E9 67 CD E7 0A 08 39 DB 9D 99 34 0A C6 2B A4 
Key Attributes: No Attributes

-BEGIN RSA PRIVATE KEY-
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,45A3F7FFC07A6C8D

h2Hg0jIRPlwoC0CyYxdPB/+paKyJsW5RGYH4ZG0cooZUdzcc36E68MxN6rXxw8Qr
M14ZKr3VBgbpQD3k6SdvIYxeBK1O7V4A1NCaPl9qS4tQpHuCkwjelb+PouOC4C+5
dspfsKri9jMrX1pmzf1vWq7DSRgSisBzcdXkp2AkkLmpAtwhD+JD4gPNVoHUP0r3
TeM6/A8twoyi73off1pUKVTE1rFzuAl0mG5+VnLy6uHUemkpVr3nZMuVQoSp7zer
gaZvYJ5/yfjJdFMiyW0d9ZotHJ9/yfQzUwS/1M/ufrjr2cfQTn5VeOOvW+6hKqmV
sO0sXLPINnLleTr3bvJX6WrIMtl6I8RqzFmbn/uY1wEpVKugymdauqwmNvNCBQ+u
W0kNlQZffmE5YcH9QKKynrTB8QXa/RUhFKmqcK9ZdzI9t8cVrIGl1bogFZ72SDd8
/Cw8fUWh+UMoRwrrOI/g/ZYKeq6UbUVTzEs7RNuPJ1LqiT+RG6HNzUfIsvo+8tTL
nw8bpKa2uG2pGyzGNT9R3iT29xqwrZNond4mWh+xlzSqhmznaentexQGPqJJ4tAx
dd+jt0zCDMPH7UjWcAcobEaZQzZ4JMGURctQUnbFt1YynFUtiD8Rxvw30Yi1xrw7
qNnFdCskuqOPxzqvM/wJG2A04+qvYegA2aO/4CGLTiDE2EPQ4OgRYCf0frSLTDQa
eUMfqVPBhiB8h82YI1Q41GwEP7Fuo+E5LLCTNEYREgb/kxfRwxECrtIzp2q27Qwr
Mglxw0layFcCNePypRz4Nuwhl1o1kXICp6dtHb2TTeuEorKdOG6PeA==
-END RSA PRIVATE KEY-
**+

And here the OpenCA cert not working
***
-BEGIN CERTIFICATE-
MIIFhzCCA2+gAwIBAgIBFDANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJERTEP

Re: OpenCA Freeradius and EAP_TLS

[timtom]

Thanks Michael Griego and Michael Schwartzkopf,

now i export my certificate on OpenCA as pkcs12 Certifikate. After that i 
convert it as .pem using openssl. Now the cert file looks like the file 
generated with CA.all script and all works fine!!!


Greetings tim

www.mails.at - Der kostenlose E-Mail Anbieter

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html