Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP wrote: > now we know what not to do at all. we are still wondering what we have > to do. Use a client that isn't broken. Sorry. Try SecureW2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Ok, now we know what not to do at all. we are still wondering what we have to do. - if bootstrap works at your side,there isno reason that it doesn't work at our side: we didn't change nothing on this file, but follow the /etc/raddb/certs/REDME file... hope we will togheter figure rhe problem out . - Message d'origine De : Alan DeKok <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Dimanche, 27 Juillet 2008, 19h42mn 23s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Reveal MAP wrote: > Yes, Alan, we already now that thedefault config do works! my mind: > freeradius (in our case, sergio and me) is correctly configured. But, we > encounterd a problem showing no error message. so to make the log > slimmer, why not deactivate some non mandatory module in our scenario?? > so the output will show the strict necessary information... Because editing the config files when you don't know what they do is almost always a bad idea. Recommending that *other* people edit the config files when you don't know what they do is *very* much a bad idea. You are actively confusing people, and making it harder for them to solve their problems. > eg: PAPi don't need PAP module at all to figure out the problem of > PEAP/mschapv2 and Active Directory. > > and Another question Alan: did you test the bootstrap scrip in windows > and can you tell us how it works at your side please? how do you find > the certificatuion chain!!! It works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP wrote: > Yes, Alan, we already now that thedefault config do works! my mind: > freeradius (in our case, sergio and me) is correctly configured. But, we > encounterd a problem showing no error message. so to make the log > slimmer, why not deactivate some non mandatory module in our scenario?? > so the output will show the strict necessary information... Because editing the config files when you don't know what they do is almost always a bad idea. Recommending that *other* people edit the config files when you don't know what they do is *very* much a bad idea. You are actively confusing people, and making it harder for them to solve their problems. > eg: PAPi don't need PAP module at all to figure out the problem of > PEAP/mschapv2 and Active Directory. > > and Another question Alan: did you test the bootstrap scrip in windows > and can you tell us how it works at your side please? how do you find > the certificatuion chain!!! It works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Yes, Alan, we already now that thedefault config do works! my mind: freeradius (in our case, sergio and me) is correctly configured. But, we encounterd a problem showing no error message. so to make the log slimmer, why not deactivate some non mandatory module in our scenario?? so the output will show the strict necessary information... eg: PAPi don't need PAP module at all to figure out the problem of PEAP/mschapv2 and Active Directory. and Another question Alan: did you test the bootstrap scrip in windows and can you tell us how it works at your side please? how do you find the certificatuion chain!!! thanx a lot - Message d'origine De : Alan DeKok <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Dimanche, 27 Juillet 2008, 8h51mn 35s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Sergio wrote: > I'm agree, a good begining would be comment out all modules you're not > using. The instances of the modules are in sites-enabled/default and > sites-enabled/inner-tunnel (for peap and ttls). For debugging... no. The default configuration file WORKS in the widest possible set of circumstances. If it isn't working, it's usually: a) the client (e.g. Windows) b) the NAS (e.g. recent comments about 3com) You should edit the default configuration ONLY for production environments, and ONLY after the debug setup is working to your satisfaction. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
I'm agree, a good begining would be comment out all modules you're not using. The instances of the modules are in sites-enabled/default and sites-enabled/inner-tunnel (for peap and ttls). - --- Donb't worry, it will be done soon (as soon as the week starts again ). i really want to figure it out _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Sergio wrote: > I'm agree, a good begining would be comment out all modules you're not > using. The instances of the modules are in sites-enabled/default and > sites-enabled/inner-tunnel (for peap and ttls). For debugging... no. The default configuration file WORKS in the widest possible set of circumstances. If it isn't working, it's usually: a) the client (e.g. Windows) b) the NAS (e.g. recent comments about 3com) You should edit the default configuration ONLY for production environments, and ONLY after the debug setup is working to your satisfaction. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Anders Holm escribió: [snip] rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. //Normal, i am not willing to do PAP but mschapv2 If you’re not using a module, disable it. All it’ll do is add latency, delays and unnecessary log messages. Comment it out ... ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password //does the 3 previous lines means there is an error? what does "No Cleartext-Password configured means? it means, it cannot find a clear text password in the backend data store, which it expects to do .. // what does LM-Password means? and if it's error, how could i correct it? Check your configuration. All depends on so many things .. // ithought it was normal, as I am surewindows never sends "cleartext-Password" Oh, Windows sure has been using clear text passwords, so it then also has a need to be backwards compatible with itself, right? expand: --username=%{mschap:User-Name}-> --username=glouglou //...???... mschap2: d1 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4a2a69e7929b2c03 //...???... expand: --nt-response=%{mschap:NT-Response:-00}} -> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???... Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... //negociation that is out of the range of my brain till now, but i think ity's normal security negociation in windows system, and there is no error here. Exec-Program: returned: 0 //...???... rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success //...???... if MSCHAP Success, where is the matter with this module??? what makes you believe there is a problem at this stage? ++[eap] returns handled } # server (null) //...???... PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636 Message-Authenticator = 0x State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Processing from tunneled session code 0x81b78d8 11 EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636 Message-Authenticator = 0x State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 164 to 10.10.44.246 port 1042 EAP-Message = 0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3 Message-Authenticator = 0x State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What? and why its stops..???... why do I get the feeling that if Message-Authenticator is all zeros, it is a “nope, not going to happen mate” type return, effectively stopping any further processing. Why I have no idea .. Alan?? [cut out bits that are not relevant, nor commented, nor anything. Let’s trim messages folks. If it’s not used or relevant, get rid of it.. It only takes space] I'm agree, a good begining would be comment out all modules you're not using. The instances of the modules are in sites-enabled/default and sites-enabled/inner-tunnel (for peap and ttls). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
e: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) > http://tinypaste.com/5b99b = Radiusd -X output. [snip] rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.//Normal, i am not willing to do PAP but mschapv2 If you’re not using a module, disable it. All it’ll do is add latency, delays and unnecessary log messages. Comment it out ... lol, i deactivated chap module yet, i let pap cause sometimes i use "radtest" for test! but PAP, SQL module will be deactivated soon and we shall see. maybe monday or tuesday, you will have a clean log! please, stay connected to the post ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password //does the 3 previous lines means there is an error? what does "No Cleartext-Password configured means? it means, it cannot find a clear text password in the backend data store, which it expects to do .. pfiouh, previously with another version of freeradius and the same devices and the same config, doing thesame astype of authentication, iwas sure i had these two lines and encounterd no error! but i am not sure.! // what does LM-Password means? and if it's error, how could i correct it? Check your configuration. All depends on so many things .. // ithought it was normal, as I am surewindows never sends "cleartext-Password" Oh, Windows sure has been using clear text passwords, so it then also has a need to be backwards compatible with itself, right? expand: --username=%{mschap:User-Name}-> --username=glouglou //...???... mschap2: d1 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4a2a69e7929b2c03 //...???... expand: --nt-response=%{mschap:NT-Response:-00}} -> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???... Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... //negociation that is out of the range of my brain till now, but i think ity's normal security negociation in windows system, and there is no error here. Exec-Program: returned: 0 //...???... rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success //...???... if MSCHAP Success, where is the matter with this module??? what makes you believe there is a problem at this stage? why do I get the feeling that if Message-Authenticator is all zeros, it is a “nope, not going to happen mate” type return, effectively stopping any further processing. Why I have no idea .. Alan?? http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
hmm... it's true i didn't test authentication with another laptop! i will! and i will too with secureW2 instead ofXP built-in wireless manager, and see!! > see the logf there: http://tinypaste.com/5b99b Your problem is nothing to do with certificates. The PEAP tunnel gets setup correctly, the MS-CHAP client->server auth succeeds, but the final server->client (mutual) auth appears to fail. This could be for a number of reasons, but it's a problem at the client side. You will need to debug it at the client side. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
> [snip] > > rlm_pap: WARNING! No "known good" password found for the user. Authentication > may fail because of this.//Normal, i am not willing to do > PAP but mschapv2 > > If you¹re not using a module, disable it. All it¹ll do is add latency, > delays and unnecessary log messages. Comment it out ... > > ++[pap] returns noop > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > +- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > +- entering group MS-CHAP > rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. > rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password > //does the 3 previous lines means there is an error? what does "No > Cleartext-Password configured means? > > it means, it cannot find a clear text password in the backend data store, > which it expects to do .. > >// what does LM-Password means? and if it's error, how could i correct it? > > Check your configuration. All depends on so many things .. > >// ithought it was normal, as I am surewindows never sends > "cleartext-Password" > > Oh, Windows sure has been using clear text passwords, so it then also has a > need to be backwards compatible with itself, right? > > > expand: --username=%{mschap:User-Name}-> --username=glouglou > //...???... > > mschap2: d1 > expand: --challenge=%{mschap:Challenge:-00} -> > --challenge=4a2a69e7929b2c03 //...???... > expand: --nt-response=%{mschap:NT-Response:-00}} -> > --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???... > Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... > Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 > //...???... > //negociation that is out of the range of my brain till now, but i think ity's > normal security negociation in windows system, and there is no error here. > > Exec-Program: returned: 0 //...???... > rlm_mschap: adding MS-CHAPv2 MPPE keys > ++[mschap] returns ok > MSCHAP Success //...???... if MSCHAP Success, where is the matter with this > module??? > > what makes you believe there is a problem at this stage? > > ++[eap] returns handled > } # server (null) //...???... > PEAP: Got tunneled reply RADIUS code 11 > EAP-Message = > 0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433 > 41413242354132313236344636 > Message-Authenticator = 0x > State = 0x95b92b9094ab31501a0a30daea5106ca > PEAP: Processing from tunneled session code 0x81b78d8 11 > EAP-Message = > 0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433 > 41413242354132313236344636 > Message-Authenticator = 0x > State = 0x95b92b9094ab31501a0a30daea5106ca > PEAP: Got tunneled Access-Challenge > ++[eap] returns handled > Sending Access-Challenge of id 164 to 10.10.44.246 port 1042 > EAP-Message = > 0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0 > a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3 > Message-Authenticator = 0x > State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What? > and why its stops..???... > > why do I get the feeling that if Message-Authenticator is all zeros, it > is a ³nope, not going to happen mate² type return, effectively stopping any > further processing. Why I have no idea .. Alan?? > > [cut out bits that are not relevant, nor commented, nor anything. Let¹s trim > messages folks. If it¹s not used or relevant, get rid of it.. It only takes > space] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
I read the post: "PEAP or TTLS and Microsoft Vista". what i remain is i have to test another wireless mlanager differentthan trhe built-in of windows XP. ok, i will as soon as i will be infront of the server (no chance, it's week-end now) - Message d'origine De : nf-vale <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Vendredi, 25 Juillet 2008, 20h51mn 58s Objet : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: "PEAP or TTLS and Microsoft Vista". Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: > > > > installing ca.der and putting user && pass into client machine, the > authentication doesn't work? > > -- no, it doesn't! > > > you only need ca.der but, if you have an active directory like > LDAP, > check if your comunication with AD server also have tls > authentication. > Into ldap module you can configurate another tls block, which it's > different than tls block into eap module. > > -- Well, the howto espalaining how freeradius has to authenticate > users against Active Directory says nothing about ldap config files on > linux server. it just gives tips about samba, using winbind, > ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. > I ever success this kind of authentication without reading or changing > a line of ldap module in freeradius. > and i think, authenticating users against Openldap won't be managed > like authentication of freeradius using active directory. > > >I don't know if it is your problem, but I suppose that comunication > between ldap server and radius can have different certificates, from > different ca's than eap comunication. > > > my wireless network is secured with wpa/wpa2 entreprise, requiring a > RADIUS server to perform authentication. so i am doing 802.1x > authentication which exploit a valid PKI,regardless of the base of > users. this is how i understand it. > > > If it is your problem, I would > check it. also would be good you post de debug of radius to see which > certificate can't validate. > > see the logf there: http://tinypaste.com/5b99b > active and valid user is: > login: glouglou > password: glouglou > > aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON > password: > NT_STATUS_OK: Success (0x0) > aaa:~ # > > > :/ Any help will be appreciated. these days i am wondering about > validity of the Server certificate! > I have to tell you that, in my case, if i try a peap authentication > against Active Directoiry with wrong users credentials, i have an > error message saying that login or password is incorrect. with good > users credential, i just obtain what you can see in the Radiusd -X > output (http://tinypaste.com/5b99b) > > thank you > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > __ > Envoyé avec Yahoo! Mail. > Une boite mail plus intelligente. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
thanx for responding dude. let's take a look at this part of log! (remember too that i am a new linux, many thing are still chinese for me) i agree, my certificate are OK to do EAP in general my coments are the red lines : my mschap module config is: -- mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}}" } my peap and mschapv2 module config is: --- Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = yes } output of eap/mschapv2authentication is: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.//Normal, i am not willing to do PAP but mschapv2 ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password //does the 3 previous lines means there is an error? what does "No Cleartext-Password configured means? // what does LM-Password means? and if it's error, how could i correct it? // ithought it was normal, as I am surewindows never sends "cleartext-Password" expand: --username=%{mschap:User-Name}-> --username=glouglou //...???... mschap2: d1 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4a2a69e7929b2c03 //...???... expand: --nt-response=%{mschap:NT-Response:-00}} -> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???... Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... //negociation that is out of the range of my brain till now, but i think ity's normal security negociation in windows system, and there is no error here. Exec-Program: returned: 0 //...???... rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success //...???... if MSCHAP Success, where is the matter with this module??? ++[eap] returns handled } # server (null) //...???... PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636 Message-Authenticator = 0x State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Processing from tunneled session code 0x81b78d8 11 EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636 Message-Authenticator = 0x State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 164 to 10.10.44.246 port 1042 EAP-Message = 0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3 Message-Authenticator = 0x State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What? and why its stops..???... Finished request 9. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 157 with timestamp +47 Cleaning up request 3 ID 158 with timestamp +47 Cleaning up request 4 ID 159 with timestamp +47 Cleaning up request 5 ID 160 with timestamp +47 Cleaning up request 6 ID 161 with timestamp +47 Cleaning up request 7 ID 162 with timestamp +47 Cleaning up request 8 ID 163 with timestamp +47 Cleaning up request 9 ID 164 with timestamp +47 Ready to process requests. > aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON > password: > NT_STATUS_OK: Success (0x0) > aaa:~ # > > > :/ Any help will be appreciated. these days i am wondering about > validity of the Server certificate! > I have to tell you that, in my case, if i try a peap authentication > against Active Directoiry with wrong users credentials, i have an > error message saying that login or password is incorrect. with good > users credential, i just obtain what you can see in the Radiusd -X > output (http://tinypaste.com/5b99b) > > thank you > - > Li
Re: Re : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
see the logf there: http://tinypaste.com/5b99b Your problem is nothing to do with certificates. The PEAP tunnel gets setup correctly, the MS-CHAP client->server auth succeeds, but the final server->client (mutual) auth appears to fail. This could be for a number of reasons, but it's a problem at the client side. You will need to debug it at the client side. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió: > installing ca.der and putting user && pass into client machine, the authentication doesn't work? -- no, it doesn't! > you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. >I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. > If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html but I think you don't have any problem with certificates, looking at radius debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established the client is telling you that has verified the server cert (against ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase is finished. I think you have problems with mschapv2 phase, assuming your sql querys working. Your problem begin here: rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password expand: --username=%{mschap:User-Name} -> --username=glouglou I think.. I've never configured peap/mschapv2 but sometimes i've read, not carefully, about some dependencies between mschap module and mschapv2 or something like that. hope this help you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
nf-vale escribió: Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: "PEAP or TTLS and Microsoft Vista". Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: installing ca.der and putting user && pass into client machine, the authentication doesn't work? -- no, it doesn't! you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. > If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html no, I have this error using both linux wpa_supplicant and xp3. I have wpa_supplicant running ok with another two eap modules, but not with default pki.I'm really "flipado" (I don't know the exact translation of "flipado", but seems to very very very very ..surprised) because i've tried a lot of things to solve it. I think learning english it's a good begining, jejeje. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: "PEAP or TTLS and Microsoft Vista". Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: > > > > installing ca.der and putting user && pass into client machine, the > authentication doesn't work? > > -- no, it doesn't! > > > you only need ca.der but, if you have an active directory like > LDAP, > check if your comunication with AD server also have tls > authentication. > Into ldap module you can configurate another tls block, which it's > different than tls block into eap module. > > -- Well, the howto espalaining how freeradius has to authenticate > users against Active Directory says nothing about ldap config files on > linux server. it just gives tips about samba, using winbind, > ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. > I ever success this kind of authentication without reading or changing > a line of ldap module in freeradius. > and i think, authenticating users against Openldap won't be managed > like authentication of freeradius using active directory. > > >I don't know if it is your problem, but I suppose that comunication > between ldap server and radius can have different certificates, from > different ca's than eap comunication. > > > my wireless network is secured with wpa/wpa2 entreprise, requiring a > RADIUS server to perform authentication. so i am doing 802.1x > authentication which exploit a valid PKI,regardless of the base of > users. this is how i understand it. > > > If it is your problem, I would > check it. also would be good you post de debug of radius to see which > certificate can't validate. > > see the logf there: http://tinypaste.com/5b99b > active and valid user is: > login: glouglou > password: glouglou > > aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON > password: > NT_STATUS_OK: Success (0x0) > aaa:~ # > > > :/ Any help will be appreciated. these days i am wondering about > validity of the Server certificate! > I have to tell you that, in my case, if i try a peap authentication > against Active Directoiry with wrong users credentials, i have an > error message saying that login or password is incorrect. with good > users credential, i just obtain what you can see in the Radiusd -X > output (http://tinypaste.com/5b99b) > > thank you > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > __ > Envoyé avec Yahoo! Mail. > Une boite mail plus intelligente. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
> installing ca.der and putting user && pass into client machine, the authentication doesn't work? -- no, it doesn't! > you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. >I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. > If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió: > But I think this problem do not affect peap because peap do not use > client certs, you only need to install ca.der into client machine and > put the passwords i refer to that: > so my question is, if the certificate (with server extension) is missing on the client, could it interfer in EAP-PEAP authentication success? yes. you need a RADIUS cert with the extensions...and if doing proper PEAP, you need the CA installed on the client too - with 'validate server certificate' checked and cross-linked (ie you choose the correct CA in the list!) alan really?? it seems to affect PEAP too when freeradius authenticates against Active Directory. if i understood well,PEAP authentication need client side a login + password and server side a certificate in order to the authentication process to success! so, which certificate have i to install on client side? - i did ever try ca.der with no success! 'after an access-challenge, the request simply stops. - i am trying sever.crt too, with no more success. i install it in intermediate authority containeer,but it won't be available in the list of the wireless manager of xp. if you have a suggestion, i am open! - Message d'origine De : Sergio <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Reveal MAP escribió: > HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in > default configuration? > > - this bug is suspected to make i can't do EAP-PEAP and affect the CRL > management too. it's a real problem > > > > - Message d'origine > De : Alan DeKok <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > À : FreeRadius users mailing list <mailto:freeradius-users@lists.freeradius.org>> > Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s > Objet : Re: cert bootstrap bug? (was Re: definitively, I have a > problem with eap-tls) > > Sergio wrote: > > But the debug I posted shows that radius doesn't recognize the issuer of > > client cert using default certs. If default certs works and I don't need > > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting > > alan? > > You need to follow the documentation in eap.conf. > ># If CA_file (below) is not used, then the ># certificate_file below MUST include not ># only the server certificate, but ALSO all ># of the CA certificates used to sign the ># server certificate. >certificate_file = ${certdir}/server.pem > > Have you done that? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > Envoyé avec Yahoo! Mail > <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>. > Une boite mail plus intelligente. > But I think this problem do not affect peap because peap do not use client certs, you only need to install ca.der into client machine and put the passwords - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Envoyé avec Yahoo! Mail <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>. Une boite mail plus intelligente. Then, you're trying to tell me the following: installing ca.der and putting user && pass into client machine, the authentication doesn't work? you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. Hasta luego :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
> But I think this problem do not affect peap because peap do not use > client certs, you only need to install ca.der into client machine and > put the passwords i refer to that: > so my question is, if the certificate (with server extension) is missing on the client, could it interfer in EAP-PEAP authentication success? yes. you need a RADIUS cert with the extensions...and if doing proper PEAP, you need the CA installed on the client too - with 'validate server certificate' checked and cross-linked (ie you choose the correct CA in the list!) alan really?? it seems to affect PEAP too when freeradius authenticates against Active Directory. if i understood well,PEAP authentication need client side a login + password and server side a certificate in order to the authentication process to success! so, which certificate have i to install on client side? - i did ever try ca.der with no success! 'after an access-challenge, the request simply stops. - i am trying sever.crt too, with no more success. i install it in intermediate authority containeer,but it won't be available in the list of the wireless manager of xp. if you have a suggestion, i am open! - Message d'origine De : Sergio <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Reveal MAP escribió: > HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in > default configuration? > > - this bug is suspected to make i can't do EAP-PEAP and affect the CRL > management too. it's a real problem > > > > - Message d'origine > De : Alan DeKok <[EMAIL PROTECTED]> > À : FreeRadius users mailing list > Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s > Objet : Re: cert bootstrap bug? (was Re: definitively, I have a > problem with eap-tls) > > Sergio wrote: > > But the debug I posted shows that radius doesn't recognize the issuer of > > client cert using default certs. If default certs works and I don't need > > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting > > alan? > > You need to follow the documentation in eap.conf. > > # If CA_file (below) is not used, then the > # certificate_file below MUST include not > # only the server certificate, but ALSO all > # of the CA certificates used to sign the > # server certificate. > certificate_file = ${certdir}/server.pem > > Have you done that? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > Envoyé avec Yahoo! Mail > <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>. > Une boite mail plus intelligente. > But I think this problem do not affect peap because peap do not use client certs, you only need to install ca.der into client machine and put the passwords - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió: HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in default configuration? - this bug is suspected to make i can't do EAP-PEAP and affect the CRL management too. it's a real problem - Message d'origine De : Alan DeKok <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s Objet : Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Sergio wrote: > But the debug I posted shows that radius doesn't recognize the issuer of > client cert using default certs. If default certs works and I don't need > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting > alan? You need to follow the documentation in eap.conf. # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem Have you done that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Envoyé avec Yahoo! Mail <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>. Une boite mail plus intelligente. But I think this problem do not affect peap because peap do not use client certs, you only need to install ca.der into client machine and put the passwords - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in default configuration? - this bug is suspected to make i can't do EAP-PEAP and affect the CRL management too. it's a real problem - Message d'origine De : Alan DeKok <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s Objet : Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Sergio wrote: > But the debug I posted shows that radius doesn't recognize the issuer of > client cert using default certs. If default certs works and I don't need > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting > alan? You need to follow the documentation in eap.conf. # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem Have you done that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
On Thu, Jul 24, 2008 at 09:14:54PM +0200, Alan DeKok wrote: Phil Mayers wrote: Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Ah, I see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Sergio wrote: But the debug I posted shows that radius doesn't recognize the issuer of client cert using default certs. If default certs works and I don't need to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting alan? You need to follow the documentation in eap.conf. # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem Have you done that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've tried several times. First, i need to use CA_file because i'm configuring eap-tls and radiusd won't parse eap.conf. Then I've tried: -cat ca.pem >>server.pem doesn't works (i think it's right if i want to use peap or similar, based on this paragraph of eap documentation) -CA_file = ${cadir}/ca.pem CA_file = ${cadir}/server.pem because you permit a list of trusted ca (although server.pem isn't a ca cert) -cp server.pem root.pem cat ca.pem >>root.pem CA_file = ${cadir}/root.pem works, but i think then I can't manage the crl. Then: a) i'm a little stupid (I don't know any other term) b) i have no idea about english language (many probabilities) c) a) and b) and bad manners (but trying to be a nice boy) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Sergio wrote: > But the debug I posted shows that radius doesn't recognize the issuer of > client cert using default certs. If default certs works and I don't need > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting > alan? You need to follow the documentation in eap.conf. # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/server.pem Have you done that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, only one more note. bootstrap command doesn't make client certs. you need to execute "make client.pem" to make it. I also assume that it is normal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But the debug I posted shows that radius doesn't recognize the issuer of client cert using default certs. If default certs works and I don't need to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting alan? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Phil Mayers wrote: > Alan - it does look to my untrained eye as if the "client.crt" Makefile > target in /etc/raddb/certs is signing the client key with the server > key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I I think so. say, with fear and respect, that default radius PKI doesn't work?. Hmm. Maybe; I guess most people test PEAP which just uses CA & server certs, no client certs. I'm by no means an expert, and Makefile's make my brain hurt, so I could be misreading it. Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? I don't think so. Again, I think the CRL is signed with the CA key. Of course, you'll need run your own crl commands, the FreeRadius stuff doesn't come with that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Phil Mayers escribió: ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. I get the exact same error at the CLI: [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < server.pem stdin: OK [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < [EMAIL PROTECTED] stdin: /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./[EMAIL PROTECTED], CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] Subject: C=FR, ST=Radius, O=Example Inc., [EMAIL PROTECTED]/[EMAIL PROTECTED] You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I say, with fear and respect, that default radius PKI doesn't work?. Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? what do you think about this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. I get the exact same error at the CLI: [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < server.pem stdin: OK [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < [EMAIL PROTECTED] stdin: /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./[EMAIL PROTECTED], CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] Subject: C=FR, ST=Radius, O=Example Inc., [EMAIL PROTECTED]/[EMAIL PROTECTED] You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Phil Mayers escribió: Sergio wrote: Sorry, I'll do the things right jeje I haven't been reading all your emails, but what I have read is very confusing. So I'm sorry if I misunderstand. The error message seems very very clear. FreeRadius cannot verify the client certificate. This means you have not given it the correct CA certificate. You keep talking about "c_rehash" - to the best of my knowledge, FreeRadius doesn't make use of a "certificate directory" with the openssl-style .0 -> real.pem symlinks. Forget about that. Can you please provide: * a copy of your eap.conf * a copy of the files from the "eap { tls {} }" section: * certificate_file * CA_file * a copy of the client cert: * [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. files.tar Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sergio wrote: Sorry, I'll do the things right jeje I haven't been reading all your emails, but what I have read is very confusing. So I'm sorry if I misunderstand. The error message seems very very clear. FreeRadius cannot verify the client certificate. This means you have not given it the correct CA certificate. You keep talking about "c_rehash" - to the best of my knowledge, FreeRadius doesn't make use of a "certificate directory" with the openssl-style .0 -> real.pem symlinks. Forget about that. Can you please provide: * a copy of your eap.conf * a copy of the files from the "eap { tls {} }" section: * certificate_file * CA_file * a copy of the client cert: * [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sorry, I'll do the things right jeje Log using default configuration except: -default_eap_type = tls into eap.conf -client 192.168.0.0/24 { secret = testing123 shortname = kely } into clients.conf, and ap configuration ok (still not in the garbage) -wpa_supplicant with cert [EMAIL PROTECTED] private key pass whatever ca cert ca.pem Identity = user, because if I put Identity = "[EMAIL PROTECTED]" I got rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler from radius debug go! Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.3 port 3072, id=0, length=223 Cleaning up request 0 ID 0 with timestamp +6 User-Name = "user" NAS-IP-Address = 192.168.0.3 Called-Station-Id = "0014c145956f" Calling-Station-Id = "001cf01294dd" NAS-Identifier = "0014c145956f" NAS-Port = 27 Framed-MTU = 1400 State = 0x8bca9aca8bcb976abb82dcb4bf9a7d57 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201005d0d001603010052014e030141454c2a2c04490a119ee1bb01bef71f545786cfb41f565c94aa2fbc5c3b2600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100 Message-Authenticator = 0xe217e8279c4d42c9d30581d3ac0869a1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 93 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a8], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.0.3 port 3072 EAP-Message = 0x010204000dc00b71160301004a024603014145e969e014c8d53d557333896438fb1df53b86d7e20c01469331a3648020f970bd1fb576a0d44b1165ead8575f867d7090de73650f60ce84182204f7f555003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303732343131343934305a170d3039303732343131343934305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7fc7dd827525278ce75a5ee68879408cd1f69f6d592986a78ad710e3220 EAP-Message = 0xb24cfc219249e8d7fe66b34fd4de5960084cb2e4a30acd37b7332566b6eb936573a2d67d62518b625f042483d352fbebae8e7c3e44bcaa5ca9da6e514f2e7bd98c0093d85a1de29109cb810d9e25d7f9fc6870da8374f7149a843e9b17beda237e3a54b89d1ae47c6101efe4f1e0e929423e123db4a41b98129e6aa2ba04843cdbe9a266dc6e5b19cfbd7bdeb3db3d120ed527b8d1c3715aeeb27608ae31850f62238ad36dc6b6444e59d80641a623c3d7aa0c5ec49bc7f196f76258c35a9b7ded30005f2d04d597e388664e48b8469d6baba1047b8a16f5895082e7c5bebcc90203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d0101040500038201010012b8ad972ae7e43f5dd55e42420bfff3bc475028193038f67e37d5f9de104ca8e2914ea5c379faae7594e724513f09ea84232f451e1efd18e5e584afdd45fae4354b3553ca6cd3e2b3f45fa4f485de6f483c5d41eabcdc2159e47d339c8c715f9925c6543b618862a3a55078a3fde22cd650a4224ea53c262a7f275ebbae58f29425ed0915db5a2f789ed25639f55b322eb63c318b32facebed0fa1
Re: definitively, I have a problem with eap-tls
Sergio escribió: Sergio escribió: HI, continuing with Reveal MAP problem with unknown ca's under eap-tls using default configuration private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem freeradius tell me this: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate --> verify error:num=24:invalid CA certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA well, it isn't a problem: cp server.pem root.pem cat ca.pem >> root.pem then I change CA_file = ${cadir}/root.pem ..and.eureka authentication succesfully but now there is a problem to check the CRL because root.pem then, something is wrong before making root.pem. well, just tell freeradius how to find certificates c_rehash /usr/local/etc/raddb/certs also doesn't works I think Reveal had the same problem and I have read about this on mailing list but nothing. Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has somebody encountered problems with this apart from Reveal MAP and me? P.D. route certification into windows isn't a problem, only tell xp_supplicant who is root authority (It was logical) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Also me, sergio restarting: private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509 -hash -noout -in server.pem).0 portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash -noout -in ca.pem).0 portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw lrwxrwxrwx 1 rootroot 6 2008-07-23 02:47 16593b28.0 -> ca.pem lrwxrwxrwx 1 rootroot 10 2008-07-23 02:49 7d18a7eb.0 -> server.pem portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem server.pem: OK portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt client.crt: OK and then, the user is rejected. The other configuration files are ok, also wpa_supplicant. look at this Reveal, be brave jejeje. am I forgetting something? I have two other eap modules working ok with a diferent authority than the server's and I'm really intrigue about this. somebody joins? jeje regards :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please, any suggestion? I'm going insane. I can do a new installation and to tell what I'm doing (only proxy_request = no, put my ap into clients.conf and put [EMAIL PROTECTED] into users file)... Also I've tried to install ca.pem and server.crt into /etc/ssl/certs (then openssl verify client.pem returns OK, without -CApath) Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sergio escribió: HI, continuing with Reveal MAP problem with unknown ca's under eap-tls using default configuration private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem freeradius tell me this: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate --> verify error:num=24:invalid CA certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA well, it isn't a problem: cp server.pem root.pem cat ca.pem >> root.pem then I change CA_file = ${cadir}/root.pem ..and.eureka authentication succesfully but now there is a problem to check the CRL because root.pem then, something is wrong before making root.pem. well, just tell freeradius how to find certificates c_rehash /usr/local/etc/raddb/certs also doesn't works I think Reveal had the same problem and I have read about this on mailing list but nothing. Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has somebody encountered problems with this apart from Reveal MAP and me? P.D. route certification into windows isn't a problem, only tell xp_supplicant who is root authority (It was logical) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Also me, sergio restarting: private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509 -hash -noout -in server.pem).0 portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash -noout -in ca.pem).0 portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw lrwxrwxrwx 1 rootroot 6 2008-07-23 02:47 16593b28.0 -> ca.pem lrwxrwxrwx 1 rootroot 10 2008-07-23 02:49 7d18a7eb.0 -> server.pem portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem server.pem: OK portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt client.crt: OK and then, the user is rejected. The other configuration files are ok, also wpa_supplicant. look at this Reveal, be brave jejeje. am I forgetting something? I have two other eap modules working ok with a diferent authority than the server's and I'm really intrigue about this. somebody joins? jeje regards :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
definitively, I have a problem with eap-tls
HI, continuing with Reveal MAP problem with unknown ca's under eap-tls using default configuration private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem freeradius tell me this: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate --> verify error:num=24:invalid CA certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA well, it isn't a problem: cp server.pem root.pem cat ca.pem >> root.pem then I change CA_file = ${cadir}/root.pem ..and.eureka authentication succesfully but now there is a problem to check the CRL because root.pem then, something is wrong before making root.pem. well, just tell freeradius how to find certificates c_rehash /usr/local/etc/raddb/certs also doesn't works I think Reveal had the same problem and I have read about this on mailing list but nothing. Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has somebody encountered problems with this apart from Reveal MAP and me? P.D. route certification into windows isn't a problem, only tell xp_supplicant who is root authority (It was logical) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html