hi forum,
I'm trying to connect a Windows XP client (also I'm trying with Vista)
with freeradius with EAP-TLS. I made my set of certificates (from this
site http://www.linuxjournal.com/node/8095/print) and now, I have: CA,
radius_cert.pem, radius_key.pem, radius_keycert.pemradius_req.pem,
cliente_cert.p12, cliente_key.pem, cliente_cert.pem, cliente_req.pem,
dh, random, xpextensions, xpclient_ext, xpserver_ext
I've configured eap.conf of this way:
tls {
certdir = ${confdir}/certs2
cadir = ${confdir}/certs2
private_key_password = ***
private_key_file = ${certdir}/radius_keycert.pem
certificate_file = ${certdir}/radius_keycert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
And I've installed my cacert.pem and cliente_cert.p12 into mmc into
Trusted Root Certification Authorities and Personal - certificates,
respectively.
When I try to connect with freeradius my log is this: (it's too long
because I see the same request again and again)
rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=159,
length=199
User-Name = "carlosg...@realmprueba.com"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "00116b3f0ce5"
Calling-Station-Id = "00215d9ade9a"
NAS-Identifier = "Realtek Access Point. 8181"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x021a016361726c6f7367617269407769746563682e636f6d
Message-Authenticator = 0xc6247c05f7aae962aecbc459c9416907
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "realmprueba.com" for User-Name =
"carlosg...@realmprueba.com"
[suffix] Found realm "realmprueba.com"
[suffix] Adding Realm = "realmprueba.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[sql] expand: %{User-Name} -> carlosg...@realmprueba.com
[sql] sql_set_user escaped user --> 'carlosg...@realmprueba.com'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username =
'carlosg...@realmprueba.com' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT groupname FROM usergroup
WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT
groupname FROM usergroup WHERE username =
'carlosg...@realmprueba.com' ORDER BY id
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'Navega Mes' ORDER BY id
[sql] User found in group Navega Mes
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 159 to 10.0.0.1 port 3072
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0x84a02e6384a123686383961ecc8fb910
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=160,
length=191
User-Name = "carlosg...@realmprueba.com"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = "00116b3f0ce5"
Calling-Station-Id = "00215d9ade9a"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0x84a02e6384a123686383961ecc8fb910
Message-Authenticator = 0xe9335e399fadf61413fddd7e717c778f
+- entering group authorize {...