Re: EAP_TLS
Hi, > hello freeradius. > I used my radius by using authentication type EAP-MD5, which is based on the > use of login and password. > Then I tried to use EAP-TLS. So I created the certificates and I modified the > file eap.con as follows: surely eap.conf yes, you have a missing closing bracket } (and more!) at the end of the file. read the filesee how yours is formatted..in fact, youve really mashed up your file. take the original file and only edit the lines that you need (for your password, key file etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tls
Basile Mathieu <[EMAIL PROTECTED]> wrote: > here is the output of radius when the laptop try to autehticate > because i m not radius master :) if someone can tell me what > is not going well The AP seems to be ignoring the response of the RADIUS server. I believe this is in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tls
A 09:41 26/02/2004 -0500, vous avez écrit :
Basile Mathieu <[EMAIL PROTECTED]> wrote:
> here is the output of radius when the laptop try to autehticate
> because i m not radius master :) if someone can tell me what
> is not going well
The AP seems to be ignoring the response of the RADIUS server. I
believe this is in the FAQ.
i bind the server on one ip address like said in the FAQ
but without effect
i have new log and it seems that it s better but no still good
thanks for your help
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: bind_address = 195.220.107.24 IP address [195.220.107.24]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/basile.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/basile.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/
Re: eap_tls
Basile Mathieu <[EMAIL PROTECTED]> wrote: > i bind the server on one ip address like said in the FAQ > but without effect The debug log has changed, therefore there WAS an effect. You now see: > Sending Access-Accept of id 40 to 195.220.106.100:21646 > MS-MPPE-Recv-Key = > 0x0ea3979b93d3f486acf7d096d12a68e34ad38363446447e4e64c5f2a85dc140d > MS-MPPE-Send-Key = > 0x02b63169a80c60371ab6429104cc0473c603d5b1b4f038461fd2120c0cc218ae > EAP-Message = 0x03040004 > Message-Authenticator = 0x > User-Name = "sentinelle" So it works, and the change you made helped. FreeRADIUS sent an Access-Accept, so it thinks everything is fine. If the wireless client cannot access the network, then the problem is in the AP or the wireless client, not in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tls
i have a question i look at "good log" and after the tls "conversation" there is : module "eap" returns ok and for me it s module "eap" returns handled my question : what it means and is it a problem basile A 11:03 26/02/2004 -0500, vous avez écrit : Basile Mathieu <[EMAIL PROTECTED]> wrote: > i bind the server on one ip address like said in the FAQ > but without effect The debug log has changed, therefore there WAS an effect. You now see: > Sending Access-Accept of id 40 to 195.220.106.100:21646 > MS-MPPE-Recv-Key = > 0x0ea3979b93d3f486acf7d096d12a68e34ad38363446447e4e64c5f2a85dc140d > MS-MPPE-Send-Key = > 0x02b63169a80c60371ab6429104cc0473c603d5b1b4f038461fd2120c0cc218ae > EAP-Message = 0x03040004 > Message-Authenticator = 0x > User-Name = "sentinelle" So it works, and the change you made helped. FreeRADIUS sent an Access-Accept, so it thinks everything is fine. If the wireless client cannot access the network, then the problem is in the AP or the wireless client, not in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tls with cisco aironet 1100 and cisco 350 serie pcmcia
Hi Mathieu, See below a part of my config for a AP1200 Cisco that running for any EAP authentication : (IOS 12.2(8)JA) aaa new-model ! ! aaa group server radius rad_eap server auth-port 1812 acct-port 1813 ! aaa authentication login default group radius local aaa authentication login eap_methods group rad_eap aaa authorization exec default group radius local aaa accounting exec default start-stop group radius bridge irb ! ! interface Dot11Radio0 description --- Port Radios 802.11b no ip address no ip route-cache encryption key 1 size 40bit 0 transmit-key encryption mode wep mandatory ! ! ssid test-eap max-associations 31 authentication open eap eap_methods authentication network-eap eap_methods speed basic-5.5 11.0 rts threshold 2339 power local 50 channel 2442 fragment-threshold 2338 station-role root l2-filter bridge-group-acl no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache speed 100 full-duplex ntp broadcast client l2-filter bridge-group-acl no cdp enable bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 description --- Interface interne --- ip address 255.255.255.0 no ip route-cache ! ip default-gateway no ip http server ip radius source-interface BVI1 radius-server host auth-port 1812 acct-port 1813 timeout 3 radius-server retransmit 3 radius-server key radius-server authorization permit missing Service-Type radius-server vsa send accounting radius-server vsa send authentication bridge 1 route ip ! end Basile Mathieu wrote: does someone configure cisco aironet 1100 ( AP ) and cisco serie 350 for eap_tls with freeradius the configuration of the AP interess me thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards. Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D smime.p7s Description: S/MIME Cryptographic Signature
Re: eap_tls with cisco aironet 1100 and cisco 350 serie pcmcia
hi basile yes, we have it here since 2002 :-) what exactly do you want to know? ciao artur Basile Mathieu wrote: does someone configure cisco aironet 1100 ( AP ) and cisco serie 350 for eap_tls with freeradius the configuration of the AP interess me -- __ Artur Heckerhttp://www.enst.fr/~hecker Groupe Accès et Mobilité / Computer Science and Networks E N S T Paris ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
