Re: OpenCA Freeradius and EAP_TLS
Am Montag, 23. Mai 2005 10:54 schrieb [EMAIL PROTECTED]: Hi, i am a newbie at freeradius. I have a working installtion of freeradius. After i have created certs using the CA.all script i can start radius. My Microsoft Wlan client can authenticate on the radius. All works fine. But now i will use Certs from my OpenCa installation to authenticate wlan clients. My OpenCA installtion works fine to. But when i use this certificates i cant start radius. radius_start -A -X shows folloing output (...) Hi, be careful with certificates. Freeradius does not like all kind of formats. Perhaps you have to install the CA and server certificate separately. I cannot remember 100% but I had similar problems. Another problem is that windows client do want to have a special OID (usage) coded into the client certificate. Read the documentation carefully. I had very good experience with tinyCA. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgpeYpOP50oHW.pgp Description: PGP signature
Re: Re: OpenCA Freeradius and EAP_TLS
Am Montag, 23. Mai 2005 10:54 schrieb [EMAIL PROTECTED]: Hi, i am a newbie at freeradius. I have a working installtion of freeradius. After i have created certs using the CA.all script i can start radius. My Microsoft Wlan client can authenticate on the radius. All works fine. But now i will use Certs from my OpenCa installation to authenticate wlan clients. My OpenCA installtion works fine to. But when i use this certificates i cant start radius. radius_start -A -X shows folloing output (...) Hi, be careful with certificates. Freeradius does not like all kind of formats. Perhaps you have to install the CA and server certificate separately. I cannot remember 100% but I had similar problems. Another problem is that windows client do want to have a special OID (usage) coded into the client certificate. Read the documentation carefully. I had very good experience with tinyCA. Thanks Michael Sadly i have to use OpenCA ;-) The Problems according Microsoft are near to me. But i dont have more ideas what i can change, to start my freeradius server. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 www.mails.at - Der kostenlose E-Mail Anbieter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenCA Freeradius and EAP_TLS
Are you sure your key and certificate files are PEM encoded? Based on the errors, it looks like they might be DER encoded. --Mike Tom Tim wrote: Hi, i am a newbie at freeradius. I have a working installtion of freeradius. After i have created certs using the CA.all script i can start radius. My Microsoft Wlan client can authenticate on the radius. All works fine. But now i will use Certs from my OpenCa installation to authenticate wlan clients. My OpenCA installtion works fine to. But when i use this certificates i cant start radius. radius_start -A -X shows folloing output Module: Loaded eap eap: default_eap_type = \md5\ eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = \Password: \ gtc: auth_type = \PAP\ rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \(null)\ tls: pem_file_type = yes tls: private_key_file = \/usr/local/etc/raddb/sh/cert-srv.pem\ tls: certificate_file = \/usr/local/etc/raddb/sh/cert-srv.pem\ tls: CA_file = \/usr/local/etc/raddb/sh/root.pem\ tls: private_key_password = \testtesttest\ tls: dh_file = \/usr/local/etc/raddb/certs/dh\ tls: random_file = \/usr/local/etc/raddb/certs/random\ tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \(null)\ 10941:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: CERTIFICATE 10941:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:evp_pbe.c:89:TYPE=pbeWithMD5AndDES-CBC 10941:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 10941:error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:122: 10941:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_pkey.c:122: 10941:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709: rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed. *** Here you can see the working cert Bag Attributes localKeyID: 0C BA ED 0A 7B E9 67 CD E7 0A 08 39 DB 9D 99 34 0A C6 2B A4 subject=/C=CA/ST=Province/L=Some City/O=Organization/OU=localhost/CN=Root certificate/[EMAIL PROTECTED] issuer=/C=CA/ST=Province/L=Some City/O=Organization/OU=localhost/CN=Client certificate/[EMAIL PROTECTED] -BEGIN CERTIFICATE- MIICyTCCAjKgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCQ0Ex ETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQHEwlTb21lIENpdHkxFTATBgNVBAoT DE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9jYWxob3N0MRswGQYDVQQDExJDbGll bnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNv bTAeFw0wNDAxMjUxMzI2MTBaFw0wNTAxMjQxMzI2MTBaMIGbMQswCQYDVQQGEwJD QTERMA8GA1UECBMIUHJvdmluY2UxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UE ChMMT3JnYW5pemF0aW9uMRIwEAYDVQQLEwlsb2NhbGhvc3QxGTAXBgNVBAMTEFJv b3QgY2VydGlmaWNhdGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAZXhhbXBsZS5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANrFJUIr/tsIJimiy6RLNEnJDQq0 YvtyyENKeCCYhj1+t9fnACjCt61VWlHMdWz0+h1wkWFatFDVKJVTrmYWr/AUpVCF 1rj7Su6YY45CYXXN02xmXGPNoXfTSSDrMFhe3IdzmZwpgPga1GOLu+ocgtBUAj23 7ySj7Bw/YkGpA9fzAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG SIb3DQEBBAUAA4GBAHotkhsc8TvymCqReOye3m2I7cF4oui9QKCgb7bwdplXiEzX CEU3CDSW/RhBZSk/WDyOgkDraOBCyUsVdS5MB+gNCXea+j3VXCT6VKwpLXcgXRwk d+0w1Z9Xyvm9If8qjRbMCRHFDk8pV2P8tg76PD0tDkOFD25vvihJAvboNQNl -END CERTIFICATE- Bag Attributes localKeyID: 0C BA ED 0A 7B E9 67 CD E7 0A 08 39 DB 9D 99 34 0A C6 2B A4 Key Attributes: No Attributes -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,45A3F7FFC07A6C8D h2Hg0jIRPlwoC0CyYxdPB/+paKyJsW5RGYH4ZG0cooZUdzcc36E68MxN6rXxw8Qr M14ZKr3VBgbpQD3k6SdvIYxeBK1O7V4A1NCaPl9qS4tQpHuCkwjelb+PouOC4C+5 dspfsKri9jMrX1pmzf1vWq7DSRgSisBzcdXkp2AkkLmpAtwhD+JD4gPNVoHUP0r3 TeM6/A8twoyi73off1pUKVTE1rFzuAl0mG5+VnLy6uHUemkpVr3nZMuVQoSp7zer gaZvYJ5/yfjJdFMiyW0d9ZotHJ9/yfQzUwS/1M/ufrjr2cfQTn5VeOOvW+6hKqmV sO0sXLPINnLleTr3bvJX6WrIMtl6I8RqzFmbn/uY1wEpVKugymdauqwmNvNCBQ+u W0kNlQZffmE5YcH9QKKynrTB8QXa/RUhFKmqcK9ZdzI9t8cVrIGl1bogFZ72SDd8 /Cw8fUWh+UMoRwrrOI/g/ZYKeq6UbUVTzEs7RNuPJ1LqiT+RG6HNzUfIsvo+8tTL nw8bpKa2uG2pGyzGNT9R3iT29xqwrZNond4mWh+xlzSqhmznaentexQGPqJJ4tAx dd+jt0zCDMPH7UjWcAcobEaZQzZ4JMGURctQUnbFt1YynFUtiD8Rxvw30Yi1xrw7 qNnFdCskuqOPxzqvM/wJG2A04+qvYegA2aO/4CGLTiDE2EPQ4OgRYCf0frSLTDQa eUMfqVPBhiB8h82YI1Q41GwEP7Fuo+E5LLCTNEYREgb/kxfRwxECrtIzp2q27Qwr Mglxw0layFcCNePypRz4Nuwhl1o1kXICp6dtHb2TTeuEorKdOG6PeA== -END RSA PRIVATE KEY- **+ And here the OpenCA cert not working *** -BEGIN CERTIFICATE-
Re: OpenCA Freeradius and EAP_TLS
Whoops. Didn't read the whole message before sending that last one. --Mike Tom Tim wrote: Hi, i am a newbie at freeradius. I have a working installtion of freeradius. After i have created certs using the CA.all script i can start radius. My Microsoft Wlan client can authenticate on the radius. All works fine. But now i will use Certs from my OpenCa installation to authenticate wlan clients. My OpenCA installtion works fine to. But when i use this certificates i cant start radius. radius_start -A -X shows folloing output Module: Loaded eap eap: default_eap_type = \md5\ eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = \Password: \ gtc: auth_type = \PAP\ rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \(null)\ tls: pem_file_type = yes tls: private_key_file = \/usr/local/etc/raddb/sh/cert-srv.pem\ tls: certificate_file = \/usr/local/etc/raddb/sh/cert-srv.pem\ tls: CA_file = \/usr/local/etc/raddb/sh/root.pem\ tls: private_key_password = \testtesttest\ tls: dh_file = \/usr/local/etc/raddb/certs/dh\ tls: random_file = \/usr/local/etc/raddb/certs/random\ tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \(null)\ 10941:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: CERTIFICATE 10941:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:evp_pbe.c:89:TYPE=pbeWithMD5AndDES-CBC 10941:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 10941:error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:122: 10941:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_pkey.c:122: 10941:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709: rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed. *** Here you can see the working cert Bag Attributes localKeyID: 0C BA ED 0A 7B E9 67 CD E7 0A 08 39 DB 9D 99 34 0A C6 2B A4 subject=/C=CA/ST=Province/L=Some City/O=Organization/OU=localhost/CN=Root certificate/[EMAIL PROTECTED] issuer=/C=CA/ST=Province/L=Some City/O=Organization/OU=localhost/CN=Client certificate/[EMAIL PROTECTED] -BEGIN CERTIFICATE- MIICyTCCAjKgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCQ0Ex ETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQHEwlTb21lIENpdHkxFTATBgNVBAoT DE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9jYWxob3N0MRswGQYDVQQDExJDbGll bnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNv bTAeFw0wNDAxMjUxMzI2MTBaFw0wNTAxMjQxMzI2MTBaMIGbMQswCQYDVQQGEwJD QTERMA8GA1UECBMIUHJvdmluY2UxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UE ChMMT3JnYW5pemF0aW9uMRIwEAYDVQQLEwlsb2NhbGhvc3QxGTAXBgNVBAMTEFJv b3QgY2VydGlmaWNhdGUxHzAdBgkqhkiG9w0BCQEWEHJvb3RAZXhhbXBsZS5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANrFJUIr/tsIJimiy6RLNEnJDQq0 YvtyyENKeCCYhj1+t9fnACjCt61VWlHMdWz0+h1wkWFatFDVKJVTrmYWr/AUpVCF 1rj7Su6YY45CYXXN02xmXGPNoXfTSSDrMFhe3IdzmZwpgPga1GOLu+ocgtBUAj23 7ySj7Bw/YkGpA9fzAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG SIb3DQEBBAUAA4GBAHotkhsc8TvymCqReOye3m2I7cF4oui9QKCgb7bwdplXiEzX CEU3CDSW/RhBZSk/WDyOgkDraOBCyUsVdS5MB+gNCXea+j3VXCT6VKwpLXcgXRwk d+0w1Z9Xyvm9If8qjRbMCRHFDk8pV2P8tg76PD0tDkOFD25vvihJAvboNQNl -END CERTIFICATE- Bag Attributes localKeyID: 0C BA ED 0A 7B E9 67 CD E7 0A 08 39 DB 9D 99 34 0A C6 2B A4 Key Attributes: No Attributes -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,45A3F7FFC07A6C8D h2Hg0jIRPlwoC0CyYxdPB/+paKyJsW5RGYH4ZG0cooZUdzcc36E68MxN6rXxw8Qr M14ZKr3VBgbpQD3k6SdvIYxeBK1O7V4A1NCaPl9qS4tQpHuCkwjelb+PouOC4C+5 dspfsKri9jMrX1pmzf1vWq7DSRgSisBzcdXkp2AkkLmpAtwhD+JD4gPNVoHUP0r3 TeM6/A8twoyi73off1pUKVTE1rFzuAl0mG5+VnLy6uHUemkpVr3nZMuVQoSp7zer gaZvYJ5/yfjJdFMiyW0d9ZotHJ9/yfQzUwS/1M/ufrjr2cfQTn5VeOOvW+6hKqmV sO0sXLPINnLleTr3bvJX6WrIMtl6I8RqzFmbn/uY1wEpVKugymdauqwmNvNCBQ+u W0kNlQZffmE5YcH9QKKynrTB8QXa/RUhFKmqcK9ZdzI9t8cVrIGl1bogFZ72SDd8 /Cw8fUWh+UMoRwrrOI/g/ZYKeq6UbUVTzEs7RNuPJ1LqiT+RG6HNzUfIsvo+8tTL nw8bpKa2uG2pGyzGNT9R3iT29xqwrZNond4mWh+xlzSqhmznaentexQGPqJJ4tAx dd+jt0zCDMPH7UjWcAcobEaZQzZ4JMGURctQUnbFt1YynFUtiD8Rxvw30Yi1xrw7 qNnFdCskuqOPxzqvM/wJG2A04+qvYegA2aO/4CGLTiDE2EPQ4OgRYCf0frSLTDQa eUMfqVPBhiB8h82YI1Q41GwEP7Fuo+E5LLCTNEYREgb/kxfRwxECrtIzp2q27Qwr Mglxw0layFcCNePypRz4Nuwhl1o1kXICp6dtHb2TTeuEorKdOG6PeA== -END RSA PRIVATE KEY- **+ And here the OpenCA cert not working *** -BEGIN CERTIFICATE- MIIFhzCCA2+gAwIBAgIBFDANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJERTEP
Re: OpenCA Freeradius and EAP_TLS
Thanks Michael Griego and Michael Schwartzkopf, now i export my certificate on OpenCA as pkcs12 Certifikate. After that i convert it as .pem using openssl. Now the cert file looks like the file generated with CA.all script and all works fine!!! Greetings tim www.mails.at - Der kostenlose E-Mail Anbieter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html