Re: EAP_TLS
Hi, > hello freeradius. > I used my radius by using authentication type EAP-MD5, which is based on the > use of login and password. > Then I tried to use EAP-TLS. So I created the certificates and I modified the > file eap.con as follows: surely eap.conf yes, you have a missing closing bracket } (and more!) at the end of the file. read the filesee how yours is formatted..in fact, youve really mashed up your file. take the original file and only edit the lines that you need (for your password, key file etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tls
Basile Mathieu <[EMAIL PROTECTED]> wrote: > here is the output of radius when the laptop try to autehticate > because i m not radius master :) if someone can tell me what > is not going well The AP seems to be ignoring the response of the RADIUS server. I believe this is in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tls
A 09:41 26/02/2004 -0500, vous avez écrit : Basile Mathieu <[EMAIL PROTECTED]> wrote: > here is the output of radius when the laptop try to autehticate > because i m not radius master :) if someone can tell me what > is not going well The AP seems to be ignoring the response of the RADIUS server. I believe this is in the FAQ. i bind the server on one ip address like said in the FAQ but without effect i have new log and it seems that it s better but no still good thanks for your help Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 195.220.107.24 IP address [195.220.107.24] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/basile.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/basile.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/
Re: eap_tls
Basile Mathieu <[EMAIL PROTECTED]> wrote: > i bind the server on one ip address like said in the FAQ > but without effect The debug log has changed, therefore there WAS an effect. You now see: > Sending Access-Accept of id 40 to 195.220.106.100:21646 > MS-MPPE-Recv-Key = > 0x0ea3979b93d3f486acf7d096d12a68e34ad38363446447e4e64c5f2a85dc140d > MS-MPPE-Send-Key = > 0x02b63169a80c60371ab6429104cc0473c603d5b1b4f038461fd2120c0cc218ae > EAP-Message = 0x03040004 > Message-Authenticator = 0x > User-Name = "sentinelle" So it works, and the change you made helped. FreeRADIUS sent an Access-Accept, so it thinks everything is fine. If the wireless client cannot access the network, then the problem is in the AP or the wireless client, not in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tls
i have a question i look at "good log" and after the tls "conversation" there is : module "eap" returns ok and for me it s module "eap" returns handled my question : what it means and is it a problem basile A 11:03 26/02/2004 -0500, vous avez écrit : Basile Mathieu <[EMAIL PROTECTED]> wrote: > i bind the server on one ip address like said in the FAQ > but without effect The debug log has changed, therefore there WAS an effect. You now see: > Sending Access-Accept of id 40 to 195.220.106.100:21646 > MS-MPPE-Recv-Key = > 0x0ea3979b93d3f486acf7d096d12a68e34ad38363446447e4e64c5f2a85dc140d > MS-MPPE-Send-Key = > 0x02b63169a80c60371ab6429104cc0473c603d5b1b4f038461fd2120c0cc218ae > EAP-Message = 0x03040004 > Message-Authenticator = 0x > User-Name = "sentinelle" So it works, and the change you made helped. FreeRADIUS sent an Access-Accept, so it thinks everything is fine. If the wireless client cannot access the network, then the problem is in the AP or the wireless client, not in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_tls with cisco aironet 1100 and cisco 350 serie pcmcia
Hi Mathieu, See below a part of my config for a AP1200 Cisco that running for any EAP authentication : (IOS 12.2(8)JA) aaa new-model ! ! aaa group server radius rad_eap server auth-port 1812 acct-port 1813 ! aaa authentication login default group radius local aaa authentication login eap_methods group rad_eap aaa authorization exec default group radius local aaa accounting exec default start-stop group radius bridge irb ! ! interface Dot11Radio0 description --- Port Radios 802.11b no ip address no ip route-cache encryption key 1 size 40bit 0 transmit-key encryption mode wep mandatory ! ! ssid test-eap max-associations 31 authentication open eap eap_methods authentication network-eap eap_methods speed basic-5.5 11.0 rts threshold 2339 power local 50 channel 2442 fragment-threshold 2338 station-role root l2-filter bridge-group-acl no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache speed 100 full-duplex ntp broadcast client l2-filter bridge-group-acl no cdp enable bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 description --- Interface interne --- ip address 255.255.255.0 no ip route-cache ! ip default-gateway no ip http server ip radius source-interface BVI1 radius-server host auth-port 1812 acct-port 1813 timeout 3 radius-server retransmit 3 radius-server key radius-server authorization permit missing Service-Type radius-server vsa send accounting radius-server vsa send authentication bridge 1 route ip ! end Basile Mathieu wrote: does someone configure cisco aironet 1100 ( AP ) and cisco serie 350 for eap_tls with freeradius the configuration of the AP interess me thanks basile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards. Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D smime.p7s Description: S/MIME Cryptographic Signature
Re: eap_tls with cisco aironet 1100 and cisco 350 serie pcmcia
hi basile yes, we have it here since 2002 :-) what exactly do you want to know? ciao artur Basile Mathieu wrote: does someone configure cisco aironet 1100 ( AP ) and cisco serie 350 for eap_tls with freeradius the configuration of the AP interess me -- __ Artur Heckerhttp://www.enst.fr/~hecker Groupe Accès et Mobilité / Computer Science and Networks E N S T Paris ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html