Re: Windows XP keeps "verifying identity"
"Klaas De Craemer" <[EMAIL PROTECTED]> wrote: > Below is RASTLS.LOG and EAPOL.LOG, which I believe are the most important. > I can't find any apparent error in it though, it just keeps repeating > the same request over and over again... Any ideas? Errors follow: > [872] 11:24:14:815: SecurityContextFunction > [872] 11:24:14:815: InitializeSecurityContext returned 0x80090327 > [872] 11:24:14:815: State change to RecdFinished. Error: 0x80090327 That looks like an error to me. The previous packet it received was: > [872] 11:24:14:815: >> Received Request (Code: 1) packet: Id: 4, > Length: 587, Type: 13, TLS blob length: 1601. Flags: L You can correlate that information with the FreeRADIUS debug logs to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps "verifying identity"
Klaas De Craemer wrote: Do you mean the so-called "xpextensions" (1.3.6.1.5.5.7.3.2 for the client and .1 for the server)? I have used them to generate the certificates... Since the client is stopping, and you say you have the OIDs, you'll have to debug the client. Try: netsh ras set tracing * enabled ...and then look for the relevant logs in c:\windows\whereverthehelltheygo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps "verifying identity"
Garber, Neal wrote: Sending Access-Challenge of id 15 to 127.0.0.1:1027 rad_recv: Access-Request packet from host 127.0.0.1:1027, id=0, length=159 It's receiving the request from a loopback address. Is the client the same machine as the FreeRadius server? Are you really connecting to an Access Point? If so, what is its IP address? That's the EAP inner request. It's proxied internally to FreeRadius, and 127.0.0.1 is just put in there to fill the IP address in. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows XP keeps "verifying identity"
> Sending Access-Challenge of id 15 to 127.0.0.1:1027 > rad_recv: Access-Request packet from host 127.0.0.1:1027, id=0, length=159 It's receiving the request from a loopback address. Is the client the same machine as the FreeRadius server? Are you really connecting to an Access Point? If so, what is its IP address? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows XP keeps "verifying identity"
uth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/freeradius/certs/server_key.pem"
tls: certificate_file = "/etc/freeradius/certs/server_cert.pem"
tls: CA_file = "/etc/freeradius/certs/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/freeradius/certs/dh"
tls: random_file = "/etc/freeradius/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
==
make appropriate changes in radiusd.conf & eap.conf for the authentication
method you want to use
Pradeep
--
Message: 3
Date: Sat, 8 Jul 2006 15:27:31 +0200
From: "Klaas De Craemer"
Subject: Re: Windows XP keeps "verifying identity"
To: freeradius-users at lists.freeradius.org
Message-ID:
>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Ow, I forgot to say that I'm trying to use EAP-TLS...
2006/7/8, Klaas De Craemer
...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps "verifying identity"
make appropriate changes in radiusd.conf & eap.conf for the authentication method you want to use Pradeep--Message: 3Date: Sat, 8 Jul 2006 15:27:31 +0200From: "Klaas De Craemer" <[EMAIL PROTECTED]>Subject: Re: Windows XP keeps "verifying identity" To: freeradius-users@lists.freeradius.orgMessage-ID:<[EMAIL PROTECTED] >Content-Type: text/plain; charset=ISO-8859-1; format=flowedOw, I forgot to say that I'm trying to use EAP-TLS...2006/7/8, Klaas De Craemer <[EMAIL PROTECTED] >...---List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlEnd of Freeradius-Users Digest, Vol 15, Issue 23 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Windows XP keeps "verifying identity"
Do you mean the so-called "xpextensions" (1.3.6.1.5.5.7.3.2 for the client and .1 for the server)? I have used them to generate the certificates... "Klaas De Craemer" wrote: I have been trying to set up an Access Point on a soekris-board for some days now, but I keep getting stuck. The certificates are all in place, Freeradius starts up nicely, hostapd seems to work... But the trouble starts in Windows XP SP2: When I try to associate with the AP, it keeps sitting in a "Attempting Verification"-loop. You don't have the Microsoft OID's in the server certificate. See the documentation for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps "verifying identity"
"Klaas De Craemer" <[EMAIL PROTECTED]> wrote: > I have been trying to set up an Access Point on a soekris-board for > some days now, but I keep getting stuck. The certificates are all in > place, Freeradius starts up nicely, hostapd seems to work... But the > trouble starts in Windows XP SP2: When I try to associate with the AP, > it keeps sitting in a "Attempting Verification"-loop. You don't have the Microsoft OID's in the server certificate. See the documentation for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps "verifying identity"
Ow, I forgot to say that I'm trying to use EAP-TLS... 2006/7/8, Klaas De Craemer <[EMAIL PROTECTED]> ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
