subject:"Re\: peap problems"

Re: PEAP problems, never see an Access-Accept

2006-02-02 Thread Alan DeKok

Jorgen Rosink [EMAIL PROTECTED] wrote:
 Had a hard time to even start FreeRadius on my Debian Unstable system
 with a working PEAP module (yes, I'm aware of OpenSSL licences and
 eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm
 currently using the 20060202-snapshot. With this version (also tried
 20060130, same behaviour) I'm able to create PEAP enabled Debian
 packages, after manually editing. the pcap section in the main
 Makefile.

  I'd suggest using 1.1.0, unless you're willing to work with an
unstable vesion of FreeRADIUS.

 The problem now is that I'm trying to authenticate a default WindowsXP
 SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve
 520WL Access Point in 802.1x mode (latest firmware). Below my
 FreeRadius startup and a attempt to authenticate, could someone please
 point me in a direction what's going on, I've no clue what's wrong...

  The symptom that Windows stops talking to the RADIUS server usually
means that the server certificate doesn't contain the magic windows
OID's.  See the scripts/ directory for samples of how to create certs
with the right stuff.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP problems, never see an Access-Accept

2006-02-02 Thread Jorgen Rosink

On 2/3/06, Alan DeKok [EMAIL PROTECTED] wrote:
 Jorgen Rosink [EMAIL PROTECTED] wrote:
  Had a hard time to even start FreeRadius on my Debian Unstable system
  with a working PEAP module (yes, I'm aware of OpenSSL licences and
  eap_tls / eap_peap linking problems with Debian, _now_ ;-) ) I'm
  currently using the 20060202-snapshot. With this version (also tried
  20060130, same behaviour) I'm able to create PEAP enabled Debian
  packages, after manually editing. the pcap section in the main
  Makefile.

   I'd suggest using 1.1.0, unless you're willing to work with an
 unstable vesion of FreeRADIUS.

I'd like to, but I'm unable to build working Debian packages with both
the official source 1.1.0 and the Debian upstream one (override
libssl-dev build conflict). The symlinks in my Freeradius libdir for
both eap_tls  eap_peap are invalid with this version (1.0.5 also
failed).
From what I understand this should be fixed in 1.1.0, but as mentioned
earlier, the latest snapshots are the only ones working here, with
PEAP that is.


  The problem now is that I'm trying to authenticate a default WindowsXP
  SP2 supplicant (ipw2200 nic) with PEAP, mschapv2 and a HP ProCurve
  520WL Access Point in 802.1x mode (latest firmware). Below my
  FreeRadius startup and a attempt to authenticate, could someone please
  point me in a direction what's going on, I've no clue what's wrong...

   The symptom that Windows stops talking to the RADIUS server usually
 means that the server certificate doesn't contain the magic windows
 OID's.  See the scripts/ directory for samples of how to create certs
 with the right stuff.

That did the trick, thank you very much!!!

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap problems

2005-01-27 Thread ealatalo

Quoting Michael Griego [EMAIL PROTECTED]:

 I'm guessing you're using the Windows XP supplicant?  This looks like a 
 classic case of your CA certificate not being present on the client machine.
 
 --Mike
 
 ---
 Michael Griego
 Wireless LAN Project Manager
 The University of Texas at Dallas

Hi.

Yes, I uses WinXP(sp2) supplicant and access point is Intel 2011B.
I create new certicates. Then I copy root.der and client-crt.p12 files to
supplicant. Windows shows that certificates are ok and using to remote client
identity. (I trying tls method too). Now, in authentication process, I found
following error line.


rlm_eap_tls:  TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
  rlm_eap_tls:  TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
  rlm_eap_tls:  TLS 1.0 Handshake [length 03a8], Certificate
TLS_accept: SSLv3 write certificate A
  rlm_eap_tls:  TLS 1.0 Handshake [length 0044], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13


Next lines tells how I create certificates.


Server certificate***

openssl genrsa -des3 -out server-key.pem 2048 
 
openssl req -new -key server-key.pem -out server-csr.pem
 
openssl req -in server-csr.pem -out server-crt.pem -key server-key.pem -x509
-days 3652

openssl ca -in server-csr.pem -out server-crt.pem -days 3652 -policy
policy_anything

 
root certificate**
 
cp server-crt.pem root.pem 
 
openssl x509 -in root -inform PEM -out root.der -outform DER


client certificate**
 
openssl genrsa -des3 -out client-key.pem 2048
 
openssl req -new -key client-key.pem -out client-csr.pem
 
openssl ca -in client-csr.pem -out client-crt.pem -days 125 -extensions
xpclient_ext -extfile xpextensions -policy policy_anything
 
openssl pkcs12 -export -in client-crt.pem -inkey client-key.pem -name Radius
Suse -certfile client-crt.pem -out client.p12
 
openssl x509 -inform PEM -outform DER -in client-clt.pem -out client-clt.der







  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap problems

2005-01-25 Thread Michael Griego

I'm guessing you're using the Windows XP supplicant?  This looks like a 
classic case of your CA certificate not being present on the client machine.

--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas

ealatalo wrote:
Quoting Jacques VUVANT [EMAIL PROTECTED]:

Hello T
It seems that the user doens't exist on users.conf
Jacques

Problem was that I was changed detail NT_Domain_hack = yes. Now I change it back
to no and that problem solved. But now I get new following problem. :( 

Ready to process requests.
rad_recv: Access-Request packet from host 10.50.50.13:1117, id=92, length=141
User-Name = TWIRE12\\jaskajok
NAS-IP-Address = 10.50.50.13
Called-Station-Id = 00034715cbc3
Calling-Station-Id = 00022d1d5cb1
NAS-Identifier = WARLORD1
NAS-Port = 29
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b
Message-Authenticator = 0x08a61ed2a9cfdf1b75fddc6da963f23a
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
  modcall[authorize]: module chap returns noop for request 0
  modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = TWIRE12\jaskajok, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 0
  rlm_eap: EAP packet type response id 1 length 21
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated for request 0
users: Matched DEFAULT at 156
  modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module eap returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 92 to 10.50.50.13:1117
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xe6b4b0ad3e594db130de344878b1cd7c
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 92 with timestamp 41f6af2e
Nothing to do.  Sleeping until we see a request.

part of eap.conf
default_eap_type = peap
...
tls {
private_key_password = arvaatko
private_key_file = ${raddbdir}/varmenteet/palvelin-key.pem
#  If Private key  Certificate are located in
#  the same file, then private_key_file 
#  certificate_file must contain the same file
#  name.
certificate_file = ${raddbdir}/varmenteet/palvelin-crt.pem
#  Trusted Root CA list
CA_file = ${raddbdir}/varmenteet/CA-crt.pem
dh_file = ${raddbdir}/varmenteet/certs/dh
random_file = ${raddbdir}/varmenteet/certs/random
...
peap {
default_eap_type = mschapv2
}
**
part of users
jaskajokUser-Password == Reititys2
Framed-IP-Address = 10.50.50.12,
Framed-IP-Netmask = 255.255.255.0
***
radiusd.conf -no changes made
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap problems

2005-01-24 Thread ealatalo

 
 Hi!
 
 I'm trying to configure freeradius with peap autentication. I use winxp for
 client. When starting autentication, I get following error. Can somebody
 help
 me and tell what is going wrong. I had made changes radius.conf, eap.conf,
 users and clients.conf files. Should I make changes huntsgroup file?
  (freeradius 1.0.0  Suse 9.2)
 
 T.ea
 
 
 Ready to process requests.
 rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21,
 length=141
 User-Name = TWIRE12\\jaskajok
 NAS-IP-Address = 10.50.50.13
 Called-Station-Id = 00034715cbc3
 Calling-Station-Id = 00022d1d5cb1
 NAS-Identifier = WARLORD1
 NAS-Port = 29
 Framed-MTU = 1300
 NAS-Port-Type = Wireless-802.11
 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b
 Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 0
   modcall[authorize]: module preprocess returns ok for request 0
   modcall[authorize]: module chap returns noop for request 0
   modcall[authorize]: module mschap returns noop for request 0
 rlm_realm: No '@' in User-Name = jaskajok, looking up realm NULL
 rlm_realm: No such realm NULL
   modcall[authorize]: module suffix returns noop for request 0
   rlm_eap: EAP packet type response id 1 length 21
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module eap returns updated for request 0
 users: Matched jaskajok at 97
   modcall[authorize]: module files returns ok for request 0
 modcall: group authorize returns updated for request 0
   rad_check_password:  Found Auth-Type EAP
 auth: type EAP
   Processing the authenticate section of radiusd.conf
 modcall: entering group authenticate for request 0
 rlm_eap: Identity does not match User-Name, setting from EAP Identity.
   rlm_eap: Failed in handler
   modcall[authenticate]: module eap returns invalid for request 0
 modcall: group authenticate returns invalid for request 0
 auth: Failed to validate the user.
 Delaying request 0 for 1 seconds
 Finished request 0
 Going to the next request
 --- Walking the entire request list ---
 


  (freeradius 1.0.0  Suse 9.2)


  I have a following line in users file. (I don't have users.conf file..?)
  


#John Doe Auth-Type := Local, User-Password == hello
#   Reply-Message = Hello, %u

jaskajokUser-Password == Reititys3

#
# Dial user back and telnet to the default host for that port
 




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP problems, never see an Access-Accept

Re: PEAP problems, never see an Access-Accept

Re: peap problems

Re: peap problems

Re: peap problems

5 matches

Site Navigation

Mail list logo

Footer information