Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Anders Holm escribió:
[snip]
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this. //Normal, i am not
willing to do PAP but mschapv2
me If you’re not using a module, disable it. All it’ll do is add
latency, delays and unnecessary log messages. Comment it out ...
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
//does the 3 previous lines means there is an error? what does No
Cleartext-Password configured means?
me it means, it cannot find a clear text password in the backend
data store, which it expects to do ..
// what does LM-Password means? and if it's error, how could i
correct it?
me Check your configuration. All depends on so many things ..
// ithought it was normal, as I am surewindows never sends
cleartext-Password
Oh, Windows sure has been using clear text passwords, so it then
also has a need to be backwards compatible with itself, right?
expand: --username=%{mschap:User-Name}- --username=glouglou
//...???...
mschap2: d1
expand: --challenge=%{mschap:Challenge:-00} -
--challenge=4a2a69e7929b2c03 //...???...
expand: --nt-response=%{mschap:NT-Response:-00}} -
--nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6}
//...???...
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
//...???...
Exec-Program-Wait: plaintext: NT_KEY:
067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
//negociation that is out of the range of my brain till now, but i
think ity's normal security negociation in windows system, and
there is no error here.
Exec-Program: returned: 0 //...???...
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success //...???... if MSCHAP Success, where is the matter
with this module???
me what makes you believe there is a problem at this stage?
++[eap] returns handled
} # server (null) //...???...
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Processing from tunneled session code 0x81b78d8 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
EAP-Message =
0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
Message-Authenticator = 0x
State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then
What? and why its stops..???...
me why do I get the feeling that if Message-Authenticator is all
zeros, it is a “nope, not going to happen mate” type return,
effectively stopping any further processing. Why I have no idea ..
Alan??
[cut out bits that are not relevant, nor commented, nor anything.
Let’s trim messages folks. If it’s not used or relevant, get rid
of it.. It only takes space]
I'm agree, a good begining would be comment out all modules you're not
using. The instances of the modules are in sites-enabled/default and
sites-enabled/inner-tunnel (for peap and ttls).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Sergio wrote: I'm agree, a good begining would be comment out all modules you're not using. The instances of the modules are in sites-enabled/default and sites-enabled/inner-tunnel (for peap and ttls). For debugging... no. The default configuration file WORKS in the widest possible set of circumstances. If it isn't working, it's usually: a) the client (e.g. Windows) b) the NAS (e.g. recent comments about 3com) You should edit the default configuration ONLY for production environments, and ONLY after the debug setup is working to your satisfaction. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
I'm agree, a good begining would be comment out all modules you're not using. The instances of the modules are in sites-enabled/default and sites-enabled/inner-tunnel (for peap and ttls). - --- Donb't worry, it will be done soon (as soon as the week starts again ). i really want to figure it out _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Yes, Alan, we already now that thedefault config do works! my mind: freeradius (in our case, sergio and me) is correctly configured. But, we encounterd a problem showing no error message. so to make the log slimmer, why not deactivate some non mandatory module in our scenario?? so the output will show the strict necessary information... eg: PAPi don't need PAP module at all to figure out the problem of PEAP/mschapv2 and Active Directory. and Another question Alan: did you test the bootstrap scrip in windows and can you tell us how it works at your side please? how do you find the certificatuion chain!!! thanx a lot - Message d'origine De : Alan DeKok [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 27 Juillet 2008, 8h51mn 35s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Sergio wrote: I'm agree, a good begining would be comment out all modules you're not using. The instances of the modules are in sites-enabled/default and sites-enabled/inner-tunnel (for peap and ttls). For debugging... no. The default configuration file WORKS in the widest possible set of circumstances. If it isn't working, it's usually: a) the client (e.g. Windows) b) the NAS (e.g. recent comments about 3com) You should edit the default configuration ONLY for production environments, and ONLY after the debug setup is working to your satisfaction. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP wrote: Yes, Alan, we already now that thedefault config do works! my mind: freeradius (in our case, sergio and me) is correctly configured. But, we encounterd a problem showing no error message. so to make the log slimmer, why not deactivate some non mandatory module in our scenario?? so the output will show the strict necessary information... Because editing the config files when you don't know what they do is almost always a bad idea. Recommending that *other* people edit the config files when you don't know what they do is *very* much a bad idea. You are actively confusing people, and making it harder for them to solve their problems. eg: PAPi don't need PAP module at all to figure out the problem of PEAP/mschapv2 and Active Directory. and Another question Alan: did you test the bootstrap scrip in windows and can you tell us how it works at your side please? how do you find the certificatuion chain!!! It works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Ok, now we know what not to do at all. we are still wondering what we have to do. - if bootstrap works at your side,there isno reason that it doesn't work at our side: we didn't change nothing on this file, but follow the /etc/raddb/certs/REDME file... hope we will togheter figure rhe problem out . - Message d'origine De : Alan DeKok [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Dimanche, 27 Juillet 2008, 19h42mn 23s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Reveal MAP wrote: Yes, Alan, we already now that thedefault config do works! my mind: freeradius (in our case, sergio and me) is correctly configured. But, we encounterd a problem showing no error message. so to make the log slimmer, why not deactivate some non mandatory module in our scenario?? so the output will show the strict necessary information... Because editing the config files when you don't know what they do is almost always a bad idea. Recommending that *other* people edit the config files when you don't know what they do is *very* much a bad idea. You are actively confusing people, and making it harder for them to solve their problems. eg: PAPi don't need PAP module at all to figure out the problem of PEAP/mschapv2 and Active Directory. and Another question Alan: did you test the bootstrap scrip in windows and can you tell us how it works at your side please? how do you find the certificatuion chain!!! It works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP wrote: now we know what not to do at all. we are still wondering what we have to do. Use a client that isn't broken. Sorry. Try SecureW2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió:
installing ca.der and putting user pass into client machine, the
authentication doesn't work?
-- no, it doesn't!
you only need ca.der but, if you have an active directory like LDAP,
check if your comunication with AD server also have tls authentication.
Into ldap module you can configurate another tls block, which it's
different than tls block into eap module.
-- Well, the howto espalaining how freeradius has to authenticate
users against Active Directory says nothing about ldap config files on
linux server. it just gives tips about samba, using winbind,
ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius.
I ever success this kind of authentication without reading or changing
a line of ldap module in freeradius.
and i think, authenticating users against Openldap won't be managed
like authentication of freeradius using active directory.
I don't know if it is your problem, but I suppose that comunication
between ldap server and radius can have different certificates, from
different ca's than eap comunication.
my wireless network is secured with wpa/wpa2 entreprise, requiring a
RADIUS server to perform authentication. so i am doing 802.1x
authentication which exploit a valid PKI,regardless of the base of
users. this is how i understand it.
If it is your problem, I would
check it. also would be good you post de debug of radius to see which
certificate can't validate.
see the logf there: http://tinypaste.com/5b99b
active and valid user is:
login: glouglou
password: glouglou
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
password:
NT_STATUS_OK: Success (0x0)
aaa:~ #
:/ Any help will be appreciated. these days i am wondering about
validity of the Server certificate!
I have to tell you that, in my case, if i try a peap authentication
against Active Directoiry with wrong users credentials, i have an
error message saying that login or password is incorrect. with good
users credential, i just obtain what you can see in the Radiusd -X
output (http://tinypaste.com/5b99b)
thank you
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
but I think you don't have any problem with certificates, looking at
radius debug:
rlm_eap_tls: TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
the client is telling you that has verified the server cert (against
ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase
is finished. I think you have problems with mschapv2 phase, assuming
your sql querys working.
Your problem begin here:
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
expand: --username=%{mschap:User-Name} - --username=glouglou
I think..
I've never configured peap/mschapv2 but sometimes i've read, not
carefully, about some dependencies between mschap module and mschapv2 or
something like that.
hope this help you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
see the logf there: http://tinypaste.com/5b99b Your problem is nothing to do with certificates. The PEAP tunnel gets setup correctly, the MS-CHAP client-server auth succeeds, but the final server-client (mutual) auth appears to fail. This could be for a number of reasons, but it's a problem at the client side. You will need to debug it at the client side. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
thanx for responding dude. let's take a look at this part of log!
(remember too that i am a new linux, many thing are still chinese for
me)
i agree, my certificate are OK to do EAP in general
my coments are the red lines :
my mschap module config is:
--
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}}
}
my peap and mschapv2 module config is:
---
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = yes
}
output of eap/mschapv2authentication is:
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.//Normal, i am not willing to do
PAP but mschapv2
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
//does the 3 previous lines means there is an error? what does No
Cleartext-Password configured means?
// what does LM-Password means? and if it's error, how could i correct it?
// ithought it was normal, as I am surewindows never sends
cleartext-Password
expand: --username=%{mschap:User-Name}- --username=glouglou //...???...
mschap2: d1
expand: --challenge=%{mschap:Challenge:-00} -
--challenge=4a2a69e7929b2c03 //...???...
expand: --nt-response=%{mschap:NT-Response:-00}} -
--nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???...
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
//...???...
//negociation that is out
of the range of my brain till now, but i think ity's normal security
negociation in windows system, and there is no error here.
Exec-Program: returned: 0 //...???...
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success //...???... if MSCHAP Success, where is the matter with this
module???
++[eap] returns handled
} # server (null) //...???...
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Processing from tunneled session code 0x81b78d8 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
EAP-Message =
0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
Message-Authenticator = 0x
State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What?
and why its stops..???...
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 157 with timestamp +47
Cleaning up request 3 ID 158 with timestamp +47
Cleaning up request 4 ID 159 with timestamp +47
Cleaning up request 5 ID 160 with timestamp +47
Cleaning up request 6 ID 161 with timestamp +47
Cleaning up request 7 ID 162 with timestamp +47
Cleaning up request 8 ID 163 with timestamp +47
Cleaning up request 9 ID 164 with timestamp +47
Ready to process requests.
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
password:
NT_STATUS_OK: Success (0x0)
aaa:~ #
:/ Any help will be appreciated. these days i am wondering about
validity of the Server certificate!
I have to tell you that, in my case, if i try a peap authentication
against Active Directoiry with wrong users credentials, i have an
error message saying that login or password is incorrect. with good
users credential, i just obtain what you can see in the Radiusd -X
output (http://tinypaste.com/5b99b)
thank you
-
List info/subscribe/unsubscribe?
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
I read the post: PEAP or TTLS and Microsoft Vista. what i remain is i have to test another wireless mlanager differentthan trhe built-in of windows XP. ok, i will as soon as i will be infront of the server (no chance, it's week-end now) - Message d'origine De : nf-vale [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Vendredi, 25 Juillet 2008, 20h51mn 58s Objet : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: PEAP or TTLS and Microsoft Vista. Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: installing ca.der and putting user pass into client machine, the authentication doesn't work? -- no, it doesn't! you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
[snip]
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.//Normal, i am not willing to do
PAP but mschapv2
me If you¹re not using a module, disable it. All it¹ll do is add latency,
delays and unnecessary log messages. Comment it out ...
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
//does the 3 previous lines means there is an error? what does No
Cleartext-Password configured means?
me it means, it cannot find a clear text password in the backend data store,
which it expects to do ..
// what does LM-Password means? and if it's error, how could i correct it?
me Check your configuration. All depends on so many things ..
// ithought it was normal, as I am surewindows never sends
cleartext-Password
Oh, Windows sure has been using clear text passwords, so it then also has a
need to be backwards compatible with itself, right?
expand: --username=%{mschap:User-Name}- --username=glouglou
//...???...
mschap2: d1
expand: --challenge=%{mschap:Challenge:-00} -
--challenge=4a2a69e7929b2c03 //...???...
expand: --nt-response=%{mschap:NT-Response:-00}} -
--nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???...
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
//...???...
//negociation that is out of the range of my brain till now, but i think ity's
normal security negociation in windows system, and there is no error here.
Exec-Program: returned: 0 //...???...
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success //...???... if MSCHAP Success, where is the matter with this
module???
me what makes you believe there is a problem at this stage?
++[eap] returns handled
} # server (null) //...???...
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433
41413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Processing from tunneled session code 0x81b78d8 11
EAP-Message =
0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433
41413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
EAP-Message =
0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0
a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
Message-Authenticator = 0x
State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What?
and why its stops..???...
me why do I get the feeling that if Message-Authenticator is all zeros, it
is a ³nope, not going to happen mate² type return, effectively stopping any
further processing. Why I have no idea .. Alan??
[cut out bits that are not relevant, nor commented, nor anything. Let¹s trim
messages folks. If it¹s not used or relevant, get rid of it.. It only takes
space]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
hmm... it's true i didn't test authentication with another laptop! i will! and i will too with secureW2 instead ofXP built-in wireless manager, and see!! see the logf there: http://tinypaste.com/5b99b Your problem is nothing to do with certificates. The PEAP tunnel gets setup correctly, the MS-CHAP client-server auth succeeds, but the final server-client (mutual) auth appears to fail. This could be for a number of reasons, but it's a problem at the client side. You will need to debug it at the client side. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
e: Re : cert bootstrap bug? (was Re: definitively, I have a problem with
eap-tls)
http://tinypaste.com/5b99b = Radiusd -X output.
[snip]
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.//Normal, i am not willing to do
PAP but mschapv2
me If you’re not using a module, disable it. All it’ll do is add latency,
delays and unnecessary log messages. Comment it out ...
lol,
i deactivated chap module yet, i
let pap cause sometimes i use radtest for test! but PAP, SQL module
will be deactivated soon and we shall see. maybe monday or tuesday, you
will have a clean log! please, stay connected to the post
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
//does the 3 previous lines means there is an error? what does No
Cleartext-Password configured means?
me it means, it cannot find a clear text password in the backend data store,
which it expects to do ..
Revealmap
pfiouh, previously with another version of freeradius and the same devices and
the same config, doing thesame astype of authentication, iwas sure i had these
two lines and encounterd no error! but i am not sure.!
// what does LM-Password means? and if it's error, how could i correct it?
me Check your configuration. All depends on so many things ..
// ithought it was normal, as I am surewindows never sends
cleartext-Password
Oh, Windows sure has been using clear text passwords, so it then also has a
need to be backwards compatible with itself, right?
expand: --username=%{mschap:User-Name}- --username=glouglou //...???...
mschap2: d1
expand: --challenge=%{mschap:Challenge:-00} -
--challenge=4a2a69e7929b2c03 //...???...
expand: --nt-response=%{mschap:NT-Response:-00}} -
--nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???...
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
//...???...
//negociation that is out of the range of my brain till now, but i think ity's
normal security negociation in windows system, and there is no error here.
Exec-Program: returned: 0 //...???...
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success //...???... if MSCHAP Success, where is the matter with this
module???
me what makes you believe there is a problem at this stage?
Revealmap
I was just showing to sergionthat i think mschapv2 module is correct
++[eap] returns handled
} # server (null) //...???...
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Processing from tunneled session code 0x81b78d8 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
EAP-Message =
0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
Message-Authenticator = 0x
State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What?
and why its stops..???...
me why do I get the feeling that if Message-Authenticator is all zeros, it is
a “nope, not going to happen mate” type return, effectively stopping any
further processing. Why I have no idea .. Alan??
Revealmap
the NAS sends message authenticator, but what happens here? (see below)
and um... isn't it cleartext-password received here??
rad_recv: Access-Request packet from host 10.10.44.246 port 1042, id=157,
length=168
User-Name = PLUTON\\glouglou
NAS-IP-Address = 10.10.44.246
NAS-Port = 2
Called-Station-Id = 00-1C-F0-08-FB-FA:PEAP
Calling-Station-Id = 00-12-F0-0C-97-61
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020a001401504c55544f4e5c676c6f75676c6f75
Message-Authenticator = 0x89dbb5baabca7b646ff74e7a0372d4d2
[cut out bits that are not relevant, nor commented, nor anything. Let’s trim
messages folks
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
On Thu, Jul 24, 2008 at 09:14:54PM +0200, Alan DeKok wrote: Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Ah, I see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in default
configuration?
- this bug is suspected to make i can't do EAP-PEAP and affect the CRL
management too. it's a real problem
- Message d'origine
De : Alan DeKok [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
Objet : Re: cert bootstrap bug? (was Re: definitively, I have a problem with
eap-tls)
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the issuer of
client cert using default certs. If default certs works and I don't need
to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió:
HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
default configuration?
- this bug is suspected to make i can't do EAP-PEAP and affect the CRL
management too. it's a real problem
- Message d'origine
De : Alan DeKok [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the issuer of
client cert using default certs. If default certs works and I don't need
to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Envoyé avec Yahoo! Mail
http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html.
Une boite mail plus intelligente.
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
i refer to that:
so my question is, if the certificate (with server extension) is
missing on the client, could it interfer in EAP-PEAP authentication
success?
yes.
you need a RADIUS cert with the extensions...and if doing proper
PEAP, you need the CA installed on the client too - with 'validate
server certificate' checked and cross-linked (ie you choose
the correct CA in the list!)
alan
really?? it seems to affect PEAP too when freeradius authenticates against
Active Directory.
if i understood well,PEAP authentication need client side a login + password
and server side a certificate in order to the authentication process to success!
so, which certificate have i to install on client side?
- i did ever try ca.der with no success! 'after an access-challenge, the
request simply stops.
- i am trying sever.crt too, with no more success. i install it in intermediate
authority containeer,but it won't be available in the list of the wireless
manager of xp.
if you have a suggestion, i am open!
- Message d'origine
De : Sergio [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem
with eap-tls)
Reveal MAP escribió:
HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
default configuration?
- this bug is suspected to make i can't do EAP-PEAP and affect the CRL
management too. it's a real problem
- Message d'origine
De : Alan DeKok [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the issuer of
client cert using default certs. If default certs works and I don't need
to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Envoyé avec Yahoo! Mail
http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html.
Une boite mail plus intelligente.
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió:
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
i refer to that:
so my question is, if the certificate (with server extension) is
missing on the client, could it interfer in EAP-PEAP authentication
success?
yes.
you need a RADIUS cert with the extensions...and if doing proper
PEAP, you need the CA installed on the client too - with 'validate
server certificate' checked and cross-linked (ie you choose
the correct CA in the list!)
alan
really?? it seems to affect PEAP too when freeradius authenticates
against Active Directory.
if i understood well,PEAP authentication need client side a login +
password and server side a certificate in order to the authentication
process to success!
so, which certificate have i to install on client side?
- i did ever try ca.der with no success! 'after an access-challenge,
the request simply stops.
- i am trying sever.crt too, with no more success. i install it in
intermediate authority containeer,but it won't be available in the
list of the wireless manager of xp.
if you have a suggestion, i am open!
- Message d'origine
De : Sergio [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Reveal MAP escribió:
HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
default configuration?
- this bug is suspected to make i can't do EAP-PEAP and affect the CRL
management too. it's a real problem
- Message d'origine
De : Alan DeKok [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
À : FreeRadius users mailing list
freeradius-users@lists.freeradius.org
mailto:freeradius-users@lists.freeradius.org
Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the
issuer of
client cert using default certs. If default certs works and I
don't need
to install server.pem and ca.pem into ssl/certs dir, what I'm
forgetting
alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Envoyé avec Yahoo! Mail
http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html.
Une boite mail plus intelligente.
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Envoyé avec Yahoo! Mail
http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html.
Une boite mail plus intelligente.
Then, you're trying to tell me the following:
installing ca.der and putting user pass into client machine, the
authentication doesn't work?
you only need ca.der but, if you have an active directory like LDAP,
check if your comunication with AD server also have tls authentication.
Into ldap module you can configurate another tls block, which it's
different than tls block into eap module.
I don't know if it is your problem, but I suppose that comunication
between ldap server and radius can have different certificates, from
different ca's than eap comunication. If it is your problem, I would
check it. also would be good you post de debug of radius to see which
certificate can't validate.
Hasta luego :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
installing ca.der and putting user pass into client machine, the authentication doesn't work? -- no, it doesn't! you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: PEAP or TTLS and Microsoft Vista. Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: installing ca.der and putting user pass into client machine, the authentication doesn't work? -- no, it doesn't! you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
nf-vale escribió: Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: PEAP or TTLS and Microsoft Vista. Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: installing ca.der and putting user pass into client machine, the authentication doesn't work? -- no, it doesn't! you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html no, I have this error using both linux wpa_supplicant and xp3. I have wpa_supplicant running ok with another two eap modules, but not with default pki.I'm really flipado (I don't know the exact translation of flipado, but seems to very very very very ..surprised) because i've tried a lot of things to solve it. I think learning english it's a good begining, jejeje. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But the debug I posted shows that radius doesn't recognize the issuer of client cert using default certs. If default certs works and I don't need to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting alan? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the client.crt Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, only one more note. bootstrap command doesn't make client certs. you need to execute make client.pem to make it. I also assume that it is normal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
