Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP wrote: > now we know what not to do at all. we are still wondering what we have > to do. Use a client that isn't broken. Sorry. Try SecureW2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Ok, now we know what not to do at all. we are still wondering what we have to do. - if bootstrap works at your side,there isno reason that it doesn't work at our side: we didn't change nothing on this file, but follow the /etc/raddb/certs/REDME file... hope we will togheter figure rhe problem out . - Message d'origine De : Alan DeKok <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Dimanche, 27 Juillet 2008, 19h42mn 23s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Reveal MAP wrote: > Yes, Alan, we already now that thedefault config do works! my mind: > freeradius (in our case, sergio and me) is correctly configured. But, we > encounterd a problem showing no error message. so to make the log > slimmer, why not deactivate some non mandatory module in our scenario?? > so the output will show the strict necessary information... Because editing the config files when you don't know what they do is almost always a bad idea. Recommending that *other* people edit the config files when you don't know what they do is *very* much a bad idea. You are actively confusing people, and making it harder for them to solve their problems. > eg: PAPi don't need PAP module at all to figure out the problem of > PEAP/mschapv2 and Active Directory. > > and Another question Alan: did you test the bootstrap scrip in windows > and can you tell us how it works at your side please? how do you find > the certificatuion chain!!! It works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP wrote: > Yes, Alan, we already now that thedefault config do works! my mind: > freeradius (in our case, sergio and me) is correctly configured. But, we > encounterd a problem showing no error message. so to make the log > slimmer, why not deactivate some non mandatory module in our scenario?? > so the output will show the strict necessary information... Because editing the config files when you don't know what they do is almost always a bad idea. Recommending that *other* people edit the config files when you don't know what they do is *very* much a bad idea. You are actively confusing people, and making it harder for them to solve their problems. > eg: PAPi don't need PAP module at all to figure out the problem of > PEAP/mschapv2 and Active Directory. > > and Another question Alan: did you test the bootstrap scrip in windows > and can you tell us how it works at your side please? how do you find > the certificatuion chain!!! It works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Yes, Alan, we already now that thedefault config do works! my mind: freeradius (in our case, sergio and me) is correctly configured. But, we encounterd a problem showing no error message. so to make the log slimmer, why not deactivate some non mandatory module in our scenario?? so the output will show the strict necessary information... eg: PAPi don't need PAP module at all to figure out the problem of PEAP/mschapv2 and Active Directory. and Another question Alan: did you test the bootstrap scrip in windows and can you tell us how it works at your side please? how do you find the certificatuion chain!!! thanx a lot - Message d'origine De : Alan DeKok <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Dimanche, 27 Juillet 2008, 8h51mn 35s Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Sergio wrote: > I'm agree, a good begining would be comment out all modules you're not > using. The instances of the modules are in sites-enabled/default and > sites-enabled/inner-tunnel (for peap and ttls). For debugging... no. The default configuration file WORKS in the widest possible set of circumstances. If it isn't working, it's usually: a) the client (e.g. Windows) b) the NAS (e.g. recent comments about 3com) You should edit the default configuration ONLY for production environments, and ONLY after the debug setup is working to your satisfaction. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
I'm agree, a good begining would be comment out all modules you're not using. The instances of the modules are in sites-enabled/default and sites-enabled/inner-tunnel (for peap and ttls). - --- Donb't worry, it will be done soon (as soon as the week starts again ). i really want to figure it out _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Sergio wrote: > I'm agree, a good begining would be comment out all modules you're not > using. The instances of the modules are in sites-enabled/default and > sites-enabled/inner-tunnel (for peap and ttls). For debugging... no. The default configuration file WORKS in the widest possible set of circumstances. If it isn't working, it's usually: a) the client (e.g. Windows) b) the NAS (e.g. recent comments about 3com) You should edit the default configuration ONLY for production environments, and ONLY after the debug setup is working to your satisfaction. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Anders Holm escribió:
[snip]
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this. //Normal, i am not
willing to do PAP but mschapv2
If you’re not using a module, disable it. All it’ll do is add
latency, delays and unnecessary log messages. Comment it out ...
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
//does the 3 previous lines means there is an error? what does "No
Cleartext-Password configured means?
it means, it cannot find a clear text password in the backend
data store, which it expects to do ..
// what does LM-Password means? and if it's error, how could i
correct it?
Check your configuration. All depends on so many things ..
// ithought it was normal, as I am surewindows never sends
"cleartext-Password"
Oh, Windows sure has been using clear text passwords, so it then
also has a need to be backwards compatible with itself, right?
expand: --username=%{mschap:User-Name}-> --username=glouglou
//...???...
mschap2: d1
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=4a2a69e7929b2c03 //...???...
expand: --nt-response=%{mschap:NT-Response:-00}} ->
--nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6}
//...???...
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
//...???...
Exec-Program-Wait: plaintext: NT_KEY:
067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
//negociation that is out of the range of my brain till now, but i
think ity's normal security negociation in windows system, and
there is no error here.
Exec-Program: returned: 0 //...???...
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success //...???... if MSCHAP Success, where is the matter
with this module???
what makes you believe there is a problem at this stage?
++[eap] returns handled
} # server (null) //...???...
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Processing from tunneled session code 0x81b78d8 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
EAP-Message =
0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
Message-Authenticator = 0x
State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then
What? and why its stops..???...
why do I get the feeling that if Message-Authenticator is all
zeros, it is a “nope, not going to happen mate” type return,
effectively stopping any further processing. Why I have no idea ..
Alan??
[cut out bits that are not relevant, nor commented, nor anything.
Let’s trim messages folks. If it’s not used or relevant, get rid
of it.. It only takes space]
I'm agree, a good begining would be comment out all modules you're not
using. The instances of the modules are in sites-enabled/default and
sites-enabled/inner-tunnel (for peap and ttls).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
e: Re : cert bootstrap bug? (was Re: definitively, I have a problem with
eap-tls)
> http://tinypaste.com/5b99b = Radiusd -X output.
[snip]
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.//Normal, i am not willing to do
PAP but mschapv2
If you’re not using a module, disable it. All it’ll do is add latency,
delays and unnecessary log messages. Comment it out ...
lol,
i deactivated chap module yet, i
let pap cause sometimes i use "radtest" for test! but PAP, SQL module
will be deactivated soon and we shall see. maybe monday or tuesday, you
will have a clean log! please, stay connected to the post
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
//does the 3 previous lines means there is an error? what does "No
Cleartext-Password configured means?
it means, it cannot find a clear text password in the backend data store,
which it expects to do ..
pfiouh, previously with another version of freeradius and the same devices and
the same config, doing thesame astype of authentication, iwas sure i had these
two lines and encounterd no error! but i am not sure.!
// what does LM-Password means? and if it's error, how could i correct it?
Check your configuration. All depends on so many things ..
// ithought it was normal, as I am surewindows never sends
"cleartext-Password"
Oh, Windows sure has been using clear text passwords, so it then also has a
need to be backwards compatible with itself, right?
expand: --username=%{mschap:User-Name}-> --username=glouglou //...???...
mschap2: d1
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=4a2a69e7929b2c03 //...???...
expand: --nt-response=%{mschap:NT-Response:-00}} ->
--nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???...
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
//...???...
//negociation that is out of the range of my brain till now, but i think ity's
normal security negociation in windows system, and there is no error here.
Exec-Program: returned: 0 //...???...
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success //...???... if MSCHAP Success, where is the matter with this
module???
what makes you believe there is a problem at this stage?
why do I get the feeling that if Message-Authenticator is all zeros, it is
a “nope, not going to happen mate” type return, effectively stopping any
further processing. Why I have no idea .. Alan??
http://mail.yahoo.fr-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
hmm... it's true i didn't test authentication with another laptop! i will! and i will too with secureW2 instead ofXP built-in wireless manager, and see!! > see the logf there: http://tinypaste.com/5b99b Your problem is nothing to do with certificates. The PEAP tunnel gets setup correctly, the MS-CHAP client->server auth succeeds, but the final server->client (mutual) auth appears to fail. This could be for a number of reasons, but it's a problem at the client side. You will need to debug it at the client side. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
> [snip]
>
> rlm_pap: WARNING! No "known good" password found for the user. Authentication
> may fail because of this.//Normal, i am not willing to do
> PAP but mschapv2
>
> If you¹re not using a module, disable it. All it¹ll do is add latency,
> delays and unnecessary log messages. Comment it out ...
>
> ++[pap] returns noop
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> +- entering group authenticate
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> +- entering group MS-CHAP
> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
> //does the 3 previous lines means there is an error? what does "No
> Cleartext-Password configured means?
>
> it means, it cannot find a clear text password in the backend data store,
> which it expects to do ..
>
>// what does LM-Password means? and if it's error, how could i correct it?
>
> Check your configuration. All depends on so many things ..
>
>// ithought it was normal, as I am surewindows never sends
> "cleartext-Password"
>
> Oh, Windows sure has been using clear text passwords, so it then also has a
> need to be backwards compatible with itself, right?
>
>
> expand: --username=%{mschap:User-Name}-> --username=glouglou
> //...???...
>
> mschap2: d1
> expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=4a2a69e7929b2c03 //...???...
> expand: --nt-response=%{mschap:NT-Response:-00}} ->
> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???...
> Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
> Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
> //...???...
> //negociation that is out of the range of my brain till now, but i think ity's
> normal security negociation in windows system, and there is no error here.
>
> Exec-Program: returned: 0 //...???...
> rlm_mschap: adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success //...???... if MSCHAP Success, where is the matter with this
> module???
>
> what makes you believe there is a problem at this stage?
>
> ++[eap] returns handled
> } # server (null) //...???...
> PEAP: Got tunneled reply RADIUS code 11
> EAP-Message =
> 0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433
> 41413242354132313236344636
> Message-Authenticator = 0x
> State = 0x95b92b9094ab31501a0a30daea5106ca
> PEAP: Processing from tunneled session code 0x81b78d8 11
> EAP-Message =
> 0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433
> 41413242354132313236344636
> Message-Authenticator = 0x
> State = 0x95b92b9094ab31501a0a30daea5106ca
> PEAP: Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
> EAP-Message =
> 0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0
> a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
> Message-Authenticator = 0x
> State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What?
> and why its stops..???...
>
> why do I get the feeling that if Message-Authenticator is all zeros, it
> is a ³nope, not going to happen mate² type return, effectively stopping any
> further processing. Why I have no idea .. Alan??
>
> [cut out bits that are not relevant, nor commented, nor anything. Let¹s trim
> messages folks. If it¹s not used or relevant, get rid of it.. It only takes
> space]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
I read the post: "PEAP or TTLS and Microsoft Vista". what i remain is i have to test another wireless mlanager differentthan trhe built-in of windows XP. ok, i will as soon as i will be infront of the server (no chance, it's week-end now) - Message d'origine De : nf-vale <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Vendredi, 25 Juillet 2008, 20h51mn 58s Objet : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls) Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: "PEAP or TTLS and Microsoft Vista". Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: > > > > installing ca.der and putting user && pass into client machine, the > authentication doesn't work? > > -- no, it doesn't! > > > you only need ca.der but, if you have an active directory like > LDAP, > check if your comunication with AD server also have tls > authentication. > Into ldap module you can configurate another tls block, which it's > different than tls block into eap module. > > -- Well, the howto espalaining how freeradius has to authenticate > users against Active Directory says nothing about ldap config files on > linux server. it just gives tips about samba, using winbind, > ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. > I ever success this kind of authentication without reading or changing > a line of ldap module in freeradius. > and i think, authenticating users against Openldap won't be managed > like authentication of freeradius using active directory. > > >I don't know if it is your problem, but I suppose that comunication > between ldap server and radius can have different certificates, from > different ca's than eap comunication. > > > my wireless network is secured with wpa/wpa2 entreprise, requiring a > RADIUS server to perform authentication. so i am doing 802.1x > authentication which exploit a valid PKI,regardless of the base of > users. this is how i understand it. > > > If it is your problem, I would > check it. also would be good you post de debug of radius to see which > certificate can't validate. > > see the logf there: http://tinypaste.com/5b99b > active and valid user is: > login: glouglou > password: glouglou > > aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON > password: > NT_STATUS_OK: Success (0x0) > aaa:~ # > > > :/ Any help will be appreciated. these days i am wondering about > validity of the Server certificate! > I have to tell you that, in my case, if i try a peap authentication > against Active Directoiry with wrong users credentials, i have an > error message saying that login or password is incorrect. with good > users credential, i just obtain what you can see in the Radiusd -X > output (http://tinypaste.com/5b99b) > > thank you > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > __ > Envoyé avec Yahoo! Mail. > Une boite mail plus intelligente. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
thanx for responding dude. let's take a look at this part of log!
(remember too that i am a new linux, many thing are still chinese for
me)
i agree, my certificate are OK to do EAP in general
my coments are the red lines :
my mschap module config is:
--
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}}"
}
my peap and mschapv2 module config is:
---
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = yes
}
output of eap/mschapv2authentication is:
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.//Normal, i am not willing to do
PAP but mschapv2
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
//does the 3 previous lines means there is an error? what does "No
Cleartext-Password configured means?
// what does LM-Password means? and if it's error, how could i correct it?
// ithought it was normal, as I am surewindows never sends
"cleartext-Password"
expand: --username=%{mschap:User-Name}-> --username=glouglou //...???...
mschap2: d1
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=4a2a69e7929b2c03 //...???...
expand: --nt-response=%{mschap:NT-Response:-00}} ->
--nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???...
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
//...???...
//negociation that is out
of the range of my brain till now, but i think ity's normal security
negociation in windows system, and there is no error here.
Exec-Program: returned: 0 //...???...
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success //...???... if MSCHAP Success, where is the matter with this
module???
++[eap] returns handled
} # server (null) //...???...
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Processing from tunneled session code 0x81b78d8 11
EAP-Message =
0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
Message-Authenticator = 0x
State = 0x95b92b9094ab31501a0a30daea5106ca
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
EAP-Message =
0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
Message-Authenticator = 0x
State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What?
and why its stops..???...
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 157 with timestamp +47
Cleaning up request 3 ID 158 with timestamp +47
Cleaning up request 4 ID 159 with timestamp +47
Cleaning up request 5 ID 160 with timestamp +47
Cleaning up request 6 ID 161 with timestamp +47
Cleaning up request 7 ID 162 with timestamp +47
Cleaning up request 8 ID 163 with timestamp +47
Cleaning up request 9 ID 164 with timestamp +47
Ready to process requests.
> aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
> password:
> NT_STATUS_OK: Success (0x0)
> aaa:~ #
>
>
> :/ Any help will be appreciated. these days i am wondering about
> validity of the Server certificate!
> I have to tell you that, in my case, if i try a peap authentication
> against Active Directoiry with wrong users credentials, i have an
> error message saying that login or password is incorrect. with good
> users credential, i just obtain what you can see in the Radiusd -X
> output (http://tinypaste.com/5b99b)
>
> thank you
> -
> Li
Re: Re : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
see the logf there: http://tinypaste.com/5b99b Your problem is nothing to do with certificates. The PEAP tunnel gets setup correctly, the MS-CHAP client->server auth succeeds, but the final server->client (mutual) auth appears to fail. This could be for a number of reasons, but it's a problem at the client side. You will need to debug it at the client side. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió:
> installing ca.der and putting user && pass into client machine, the
authentication doesn't work?
-- no, it doesn't!
> you only need ca.der but, if you have an active directory like LDAP,
check if your comunication with AD server also have tls authentication.
Into ldap module you can configurate another tls block, which it's
different than tls block into eap module.
-- Well, the howto espalaining how freeradius has to authenticate
users against Active Directory says nothing about ldap config files on
linux server. it just gives tips about samba, using winbind,
ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius.
I ever success this kind of authentication without reading or changing
a line of ldap module in freeradius.
and i think, authenticating users against Openldap won't be managed
like authentication of freeradius using active directory.
>I don't know if it is your problem, but I suppose that comunication
between ldap server and radius can have different certificates, from
different ca's than eap comunication.
my wireless network is secured with wpa/wpa2 entreprise, requiring a
RADIUS server to perform authentication. so i am doing 802.1x
authentication which exploit a valid PKI,regardless of the base of
users. this is how i understand it.
> If it is your problem, I would
check it. also would be good you post de debug of radius to see which
certificate can't validate.
see the logf there: http://tinypaste.com/5b99b
active and valid user is:
login: glouglou
password: glouglou
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
password:
NT_STATUS_OK: Success (0x0)
aaa:~ #
:/ Any help will be appreciated. these days i am wondering about
validity of the Server certificate!
I have to tell you that, in my case, if i try a peap authentication
against Active Directoiry with wrong users credentials, i have an
error message saying that login or password is incorrect. with good
users credential, i just obtain what you can see in the Radiusd -X
output (http://tinypaste.com/5b99b)
thank you
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
but I think you don't have any problem with certificates, looking at
radius debug:
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
the client is telling you that has verified the server cert (against
ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase
is finished. I think you have problems with mschapv2 phase, assuming
your sql querys working.
Your problem begin here:
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
expand: --username=%{mschap:User-Name} -> --username=glouglou
I think..
I've never configured peap/mschapv2 but sometimes i've read, not
carefully, about some dependencies between mschap module and mschapv2 or
something like that.
hope this help you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
nf-vale escribió: Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: "PEAP or TTLS and Microsoft Vista". Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: installing ca.der and putting user && pass into client machine, the authentication doesn't work? -- no, it doesn't! you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. > If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Envoyé avec Yahoo! Mail. Une boite mail plus intelligente. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html no, I have this error using both linux wpa_supplicant and xp3. I have wpa_supplicant running ok with another two eap modules, but not with default pki.I'm really "flipado" (I don't know the exact translation of "flipado", but seems to very very very very ..surprised) because i've tried a lot of things to solve it. I think learning english it's a good begining, jejeje. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Are you using vista supplicant? By reading the last lines of your radius debug file it seems so... See earlier posts with subject: "PEAP or TTLS and Microsoft Vista". Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu: > > > > installing ca.der and putting user && pass into client machine, the > authentication doesn't work? > > -- no, it doesn't! > > > you only need ca.der but, if you have an active directory like > LDAP, > check if your comunication with AD server also have tls > authentication. > Into ldap module you can configurate another tls block, which it's > different than tls block into eap module. > > -- Well, the howto espalaining how freeradius has to authenticate > users against Active Directory says nothing about ldap config files on > linux server. it just gives tips about samba, using winbind, > ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. > I ever success this kind of authentication without reading or changing > a line of ldap module in freeradius. > and i think, authenticating users against Openldap won't be managed > like authentication of freeradius using active directory. > > >I don't know if it is your problem, but I suppose that comunication > between ldap server and radius can have different certificates, from > different ca's than eap comunication. > > > my wireless network is secured with wpa/wpa2 entreprise, requiring a > RADIUS server to perform authentication. so i am doing 802.1x > authentication which exploit a valid PKI,regardless of the base of > users. this is how i understand it. > > > If it is your problem, I would > check it. also would be good you post de debug of radius to see which > certificate can't validate. > > see the logf there: http://tinypaste.com/5b99b > active and valid user is: > login: glouglou > password: glouglou > > aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON > password: > NT_STATUS_OK: Success (0x0) > aaa:~ # > > > :/ Any help will be appreciated. these days i am wondering about > validity of the Server certificate! > I have to tell you that, in my case, if i try a peap authentication > against Active Directoiry with wrong users credentials, i have an > error message saying that login or password is incorrect. with good > users credential, i just obtain what you can see in the Radiusd -X > output (http://tinypaste.com/5b99b) > > thank you > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > __ > Envoyé avec Yahoo! Mail. > Une boite mail plus intelligente. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
> installing ca.der and putting user && pass into client machine, the authentication doesn't work? -- no, it doesn't! > you only need ca.der but, if you have an active directory like LDAP, check if your comunication with AD server also have tls authentication. Into ldap module you can configurate another tls block, which it's different than tls block into eap module. -- Well, the howto espalaining how freeradius has to authenticate users against Active Directory says nothing about ldap config files on linux server. it just gives tips about samba, using winbind, ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius. I ever success this kind of authentication without reading or changing a line of ldap module in freeradius. and i think, authenticating users against Openldap won't be managed like authentication of freeradius using active directory. >I don't know if it is your problem, but I suppose that comunication between ldap server and radius can have different certificates, from different ca's than eap comunication. my wireless network is secured with wpa/wpa2 entreprise, requiring a RADIUS server to perform authentication. so i am doing 802.1x authentication which exploit a valid PKI,regardless of the base of users. this is how i understand it. > If it is your problem, I would check it. also would be good you post de debug of radius to see which certificate can't validate. see the logf there: http://tinypaste.com/5b99b active and valid user is: login: glouglou password: glouglou aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ # :/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b) thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió:
> But I think this problem do not affect peap because peap do not use
> client certs, you only need to install ca.der into client machine and
> put the passwords
i refer to that:
> so my question is, if the certificate (with server extension) is
missing on the client, could it interfer in EAP-PEAP authentication
success?
yes.
you need a RADIUS cert with the extensions...and if doing proper
PEAP, you need the CA installed on the client too - with 'validate
server certificate' checked and cross-linked (ie you choose
the correct CA in the list!)
alan
really?? it seems to affect PEAP too when freeradius authenticates
against Active Directory.
if i understood well,PEAP authentication need client side a login +
password and server side a certificate in order to the authentication
process to success!
so, which certificate have i to install on client side?
- i did ever try ca.der with no success! 'after an access-challenge,
the request simply stops.
- i am trying sever.crt too, with no more success. i install it in
intermediate authority containeer,but it won't be available in the
list of the wireless manager of xp.
if you have a suggestion, i am open!
- Message d'origine
De : Sergio <[EMAIL PROTECTED]>
À : FreeRadius users mailing list
Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Reveal MAP escribió:
> HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
> default configuration?
>
> - this bug is suspected to make i can't do EAP-PEAP and affect the CRL
> management too. it's a real problem
>
>
>
> - Message d'origine
> De : Alan DeKok <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
> À : FreeRadius users mailing list
<mailto:freeradius-users@lists.freeradius.org>>
> Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
> Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
> problem with eap-tls)
>
> Sergio wrote:
> > But the debug I posted shows that radius doesn't recognize the
issuer of
> > client cert using default certs. If default certs works and I
don't need
> > to install server.pem and ca.pem into ssl/certs dir, what I'm
forgetting
> > alan?
>
> You need to follow the documentation in eap.conf.
>
># If CA_file (below) is not used, then the
># certificate_file below MUST include not
># only the server certificate, but ALSO all
># of the CA certificates used to sign the
># server certificate.
>certificate_file = ${certdir}/server.pem
>
> Have you done that?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> Envoyé avec Yahoo! Mail
>
<http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
>
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Envoyé avec Yahoo! Mail
<http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
Une boite mail plus intelligente.
Then, you're trying to tell me the following:
installing ca.der and putting user && pass into client machine, the
authentication doesn't work?
you only need ca.der but, if you have an active directory like LDAP,
check if your comunication with AD server also have tls authentication.
Into ldap module you can configurate another tls block, which it's
different than tls block into eap module.
I don't know if it is your problem, but I suppose that comunication
between ldap server and radius can have different certificates, from
different ca's than eap comunication. If it is your problem, I would
check it. also would be good you post de debug of radius to see which
certificate can't validate.
Hasta luego :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
> But I think this problem do not affect peap because peap do not use
> client certs, you only need to install ca.der into client machine and
> put the passwords
i refer to that:
> so my question is, if the certificate (with server extension) is
missing on the client, could it interfer in EAP-PEAP authentication
success?
yes.
you need a RADIUS cert with the extensions...and if doing proper
PEAP, you need the CA installed on the client too - with 'validate
server certificate' checked and cross-linked (ie you choose
the correct CA in the list!)
alan
really?? it seems to affect PEAP too when freeradius authenticates against
Active Directory.
if i understood well,PEAP authentication need client side a login + password
and server side a certificate in order to the authentication process to success!
so, which certificate have i to install on client side?
- i did ever try ca.der with no success! 'after an access-challenge, the
request simply stops.
- i am trying sever.crt too, with no more success. i install it in intermediate
authority containeer,but it won't be available in the list of the wireless
manager of xp.
if you have a suggestion, i am open!
- Message d'origine
De : Sergio <[EMAIL PROTECTED]>
À : FreeRadius users mailing list
Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem
with eap-tls)
Reveal MAP escribió:
> HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
> default configuration?
>
> - this bug is suspected to make i can't do EAP-PEAP and affect the CRL
> management too. it's a real problem
>
>
>
> - Message d'origine
> De : Alan DeKok <[EMAIL PROTECTED]>
> À : FreeRadius users mailing list
> Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
> Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
> problem with eap-tls)
>
> Sergio wrote:
> > But the debug I posted shows that radius doesn't recognize the issuer of
> > client cert using default certs. If default certs works and I don't need
> > to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
> > alan?
>
> You need to follow the documentation in eap.conf.
>
> # If CA_file (below) is not used, then the
> # certificate_file below MUST include not
> # only the server certificate, but ALSO all
> # of the CA certificates used to sign the
> # server certificate.
> certificate_file = ${certdir}/server.pem
>
> Have you done that?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> Envoyé avec Yahoo! Mail
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
>
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Reveal MAP escribió:
HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
default configuration?
- this bug is suspected to make i can't do EAP-PEAP and affect the CRL
management too. it's a real problem
- Message d'origine
De : Alan DeKok <[EMAIL PROTECTED]>
À : FreeRadius users mailing list
Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Sergio wrote:
> But the debug I posted shows that radius doesn't recognize the issuer of
> client cert using default certs. If default certs works and I don't need
> to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
> alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Envoyé avec Yahoo! Mail
<http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
Une boite mail plus intelligente.
But I think this problem do not affect peap because peap do not use
client certs, you only need to install ca.der into client machine and
put the passwords
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in default
configuration?
- this bug is suspected to make i can't do EAP-PEAP and affect the CRL
management too. it's a real problem
- Message d'origine
De : Alan DeKok <[EMAIL PROTECTED]>
À : FreeRadius users mailing list
Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
Objet : Re: cert bootstrap bug? (was Re: definitively, I have a problem with
eap-tls)
Sergio wrote:
> But the debug I posted shows that radius doesn't recognize the issuer of
> client cert using default certs. If default certs works and I don't need
> to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
> alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
On Thu, Jul 24, 2008 at 09:14:54PM +0200, Alan DeKok wrote: Phil Mayers wrote: Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Ah, I see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió:
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the issuer of
client cert using default certs. If default certs works and I don't need
to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've tried several times. First, i need to use CA_file because i'm
configuring eap-tls and radiusd won't parse eap.conf. Then I've tried:
-cat ca.pem >>server.pem doesn't works (i think it's right if i want to
use peap or similar, based on this paragraph of eap documentation)
-CA_file = ${cadir}/ca.pem
CA_file = ${cadir}/server.pem
because you permit a list of trusted ca (although server.pem isn't a
ca cert)
-cp server.pem root.pem
cat ca.pem >>root.pem
CA_file = ${cadir}/root.pem works, but i think then I can't manage the
crl.
Then:
a) i'm a little stupid (I don't know any other term)
b) i have no idea about english language (many probabilities)
c) a) and b) and bad manners (but trying to be a nice boy)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Sergio wrote:
> But the debug I posted shows that radius doesn't recognize the issuer of
> client cert using default certs. If default certs works and I don't need
> to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting
> alan?
You need to follow the documentation in eap.conf.
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem
Have you done that?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, only one more note. bootstrap command doesn't make client certs. you need to execute "make client.pem" to make it. I also assume that it is normal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Alan DeKok escribió: Phil Mayers wrote: Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But the debug I posted shows that radius doesn't recognize the issuer of client cert using default certs. If default certs works and I don't need to install server.pem and ca.pem into ssl/certs dir, what I'm forgetting alan? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Phil Mayers wrote: > Alan - it does look to my untrained eye as if the "client.crt" Makefile > target in /etc/raddb/certs is signing the client key with the server > key. Is this intentional, or a bug? It's intentional. It's a perfectly valid use of certificate chains. The idea is that you have one CA for your organization, and (perhaps) multiple RADIUS servers. Each server has it's own identity, and can issue it's own client certs for EAP-TLS. But client certs will work across multiple servers, because the servers are signed by the same CA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I I think so. say, with fear and respect, that default radius PKI doesn't work?. Hmm. Maybe; I guess most people test PEAP which just uses CA & server certs, no client certs. I'm by no means an expert, and Makefile's make my brain hurt, so I could be misreading it. Alan - it does look to my untrained eye as if the "client.crt" Makefile target in /etc/raddb/certs is signing the client key with the server key. Is this intentional, or a bug? Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? I don't think so. Again, I think the CRL is signed with the CA key. Of course, you'll need run your own crl commands, the FreeRadius stuff doesn't come with that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Phil Mayers escribió: ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. I get the exact same error at the CLI: [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < server.pem stdin: OK [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < [EMAIL PROTECTED] stdin: /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./[EMAIL PROTECTED], CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] Subject: C=FR, ST=Radius, O=Example Inc., [EMAIL PROTECTED]/[EMAIL PROTECTED] You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah!! Then you're agree with me. I've been explaining (trying) in this forum that client cert must be signed by ca cert. bootstrap command sign client cert with server.key and this not works. The solution is to replace de signing in certs/Makefile (-key server.key -cert server.pem should be -key ca.key -cert ca.pem). Then , are you agree with me when I say, with fear and respect, that default radius PKI doesn't work?. Second: if I sign client certificates with ca.key I assume that I can't manage de CRL because it sholud be signed with server.key, am I right? what do you think about this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
ok :) I provide certificate files and eap.conf in a tar ball to not to post a mail too long. If I print [EMAIL PROTECTED] in text form I see how radius is the issuer of the certificate. This is the default PKI and I don't know what I'm doing wrong. Thanks for your attention. I get the exact same error at the CLI: [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < server.pem stdin: OK [EMAIL PROTECTED] tmp]$ openssl verify -CAfile ca.pem < [EMAIL PROTECTED] stdin: /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate Your certificates are invalid: * server.pem is signed by ca.pem, which is correct: Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./[EMAIL PROTECTED], CN=Example Certificate Authority Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] * user.pem is signed by *server.pem* which is WRONG Issuer: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/[EMAIL PROTECTED] Subject: C=FR, ST=Radius, O=Example Inc., [EMAIL PROTECTED]/[EMAIL PROTECTED] You have signed the user cert with the server cert, which is incorrect. You must sign the user cert with the CA cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Phil Mayers escribió:
Sergio wrote:
Sorry, I'll do the things right jeje
I haven't been reading all your emails, but what I have read is very
confusing. So I'm sorry if I misunderstand.
The error message seems very very clear.
FreeRadius cannot verify the client certificate.
This means you have not given it the correct CA certificate.
You keep talking about "c_rehash" - to the best of my knowledge,
FreeRadius doesn't make use of a "certificate directory" with the
openssl-style .0 -> real.pem symlinks. Forget about that.
Can you please provide:
* a copy of your eap.conf
* a copy of the files from the "eap { tls {} }" section:
* certificate_file
* CA_file
* a copy of the client cert:
* [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
ok :) I provide certificate files and eap.conf in a tar ball to not to
post a mail too long.
If I print [EMAIL PROTECTED] in text form I see how radius is the
issuer of the certificate. This is the default PKI and I don't know what
I'm doing wrong.
Thanks for your attention.
files.tar
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sergio wrote:
Sorry, I'll do the things right jeje
I haven't been reading all your emails, but what I have read is very
confusing. So I'm sorry if I misunderstand.
The error message seems very very clear.
FreeRadius cannot verify the client certificate.
This means you have not given it the correct CA certificate.
You keep talking about "c_rehash" - to the best of my knowledge,
FreeRadius doesn't make use of a "certificate directory" with the
openssl-style .0 -> real.pem symlinks. Forget about that.
Can you please provide:
* a copy of your eap.conf
* a copy of the files from the "eap { tls {} }" section:
* certificate_file
* CA_file
* a copy of the client cert:
* [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sorry, I'll do the things right jeje
Log using default configuration except:
-default_eap_type = tls into eap.conf
-client 192.168.0.0/24 {
secret = testing123
shortname = kely
}
into clients.conf, and ap configuration ok (still not in the garbage)
-wpa_supplicant with
cert [EMAIL PROTECTED]
private key pass whatever
ca cert ca.pem
Identity = user, because if I put Identity = "[EMAIL PROTECTED]"
I got
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
from radius debug
go!
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.3 port 3072, id=0,
length=223
Cleaning up request 0 ID 0 with timestamp +6
User-Name = "user"
NAS-IP-Address = 192.168.0.3
Called-Station-Id = "0014c145956f"
Calling-Station-Id = "001cf01294dd"
NAS-Identifier = "0014c145956f"
NAS-Port = 27
Framed-MTU = 1400
State = 0x8bca9aca8bcb976abb82dcb4bf9a7d57
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201005d0d001603010052014e030141454c2a2c04490a119ee1bb01bef71f545786cfb41f565c94aa2fbc5c3b2600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
Message-Authenticator = 0xe217e8279c4d42c9d30581d3ac0869a1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 93
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a8], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.3 port 3072
EAP-Message =
0x010204000dc00b71160301004a024603014145e969e014c8d53d557333896438fb1df53b86d7e20c01469331a3648020f970bd1fb576a0d44b1165ead8575f867d7090de73650f60ce84182204f7f555003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303732343131343934305a170d3039303732343131343934305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7fc7dd827525278ce75a5ee68879408cd1f69f6d592986a78ad710e3220
EAP-Message =
0xb24cfc219249e8d7fe66b34fd4de5960084cb2e4a30acd37b7332566b6eb936573a2d67d62518b625f042483d352fbebae8e7c3e44bcaa5ca9da6e514f2e7bd98c0093d85a1de29109cb810d9e25d7f9fc6870da8374f7149a843e9b17beda237e3a54b89d1ae47c6101efe4f1e0e929423e123db4a41b98129e6aa2ba04843cdbe9a266dc6e5b19cfbd7bdeb3db3d120ed527b8d1c3715aeeb27608ae31850f62238ad36dc6b6444e59d80641a623c3d7aa0c5ec49bc7f196f76258c35a9b7ded30005f2d04d597e388664e48b8469d6baba1047b8a16f5895082e7c5bebcc90203010001a317301530130603551d25040c300a06082b06010505
EAP-Message =
0x070301300d06092a864886f70d0101040500038201010012b8ad972ae7e43f5dd55e42420bfff3bc475028193038f67e37d5f9de104ca8e2914ea5c379faae7594e724513f09ea84232f451e1efd18e5e584afdd45fae4354b3553ca6cd3e2b3f45fa4f485de6f483c5d41eabcdc2159e47d339c8c715f9925c6543b618862a3a55078a3fde22cd650a4224ea53c262a7f275ebbae58f29425ed0915db5a2f789ed25639f55b322eb63c318b32facebed0fa1
Re: definitively, I have a problem with eap-tls
Sergio escribió:
Sergio escribió:
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate
--> verify error:num=24:invalid CA certificate
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
well, it isn't a problem:
cp server.pem root.pem
cat ca.pem >> root.pem
then I change CA_file = ${cadir}/root.pem
..and.eureka authentication succesfully but
now there is a problem to check the CRL because root.pem then, something
is wrong before making root.pem.
well, just tell freeradius how to find certificates
c_rehash /usr/local/etc/raddb/certs also doesn't works
I think Reveal had the same problem and I have read about this on
mailing list but nothing.
Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has
somebody encountered problems with this apart from Reveal MAP and me?
P.D. route certification into windows isn't a problem, only tell
xp_supplicant who is root authority (It was logical)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Also me, sergio
restarting:
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509
-hash -noout -in server.pem).0
portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash
-noout -in ca.pem).0
portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw
lrwxrwxrwx 1 rootroot 6 2008-07-23 02:47 16593b28.0 -> ca.pem
lrwxrwxrwx 1 rootroot 10 2008-07-23 02:49 7d18a7eb.0 ->
server.pem
portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem
server.pem: OK
portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt
client.crt: OK
and then, the user is rejected. The other configuration files are ok,
also wpa_supplicant. look at this Reveal, be brave jejeje.
am I forgetting something?
I have two other eap modules working ok with a diferent authority than
the server's and I'm really intrigue about this. somebody joins? jeje
regards :)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Please, any suggestion? I'm going insane. I can do a new installation
and to tell what I'm doing (only proxy_request = no, put my ap into
clients.conf and put [EMAIL PROTECTED] into users file)...
Also I've tried to install ca.pem and server.crt into /etc/ssl/certs
(then openssl verify client.pem returns OK, without -CApath)
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sergio escribió:
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate
--> verify error:num=24:invalid CA certificate
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
well, it isn't a problem:
cp server.pem root.pem
cat ca.pem >> root.pem
then I change CA_file = ${cadir}/root.pem
..and.eureka authentication succesfully but
now there is a problem to check the CRL because root.pem then, something
is wrong before making root.pem.
well, just tell freeradius how to find certificates
c_rehash /usr/local/etc/raddb/certs also doesn't works
I think Reveal had the same problem and I have read about this on
mailing list but nothing.
Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has
somebody encountered problems with this apart from Reveal MAP and me?
P.D. route certification into windows isn't a problem, only tell
xp_supplicant who is root authority (It was logical)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Also me, sergio
restarting:
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509
-hash -noout -in server.pem).0
portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash
-noout -in ca.pem).0
portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw
lrwxrwxrwx 1 rootroot 6 2008-07-23 02:47 16593b28.0 -> ca.pem
lrwxrwxrwx 1 rootroot 10 2008-07-23 02:49 7d18a7eb.0 ->
server.pem
portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem
server.pem: OK
portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt
client.crt: OK
and then, the user is rejected. The other configuration files are ok,
also wpa_supplicant. look at this Reveal, be brave jejeje.
am I forgetting something?
I have two other eap modules working ok with a diferent authority than
the server's and I'm really intrigue about this. somebody joins? jeje
regards :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
definitively, I have a problem with eap-tls
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate
--> verify error:num=24:invalid CA certificate
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
well, it isn't a problem:
cp server.pem root.pem
cat ca.pem >> root.pem
then I change CA_file = ${cadir}/root.pem
..and.eureka authentication succesfully but
now there is a problem to check the CRL because root.pem then, something
is wrong before making root.pem.
well, just tell freeradius how to find certificates
c_rehash /usr/local/etc/raddb/certs also doesn't works
I think Reveal had the same problem and I have read about this on
mailing list but nothing.
Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has
somebody encountered problems with this apart from Reveal MAP and me?
P.D. route certification into windows isn't a problem, only tell
xp_supplicant who is root authority (It was logical)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
