Re: problem with eap-tls between FR and XP client

2009-05-07 Thread Alan DeKok 
bLn wrote:
> I'm trying to connect a Windows XP client (also I'm trying with Vista)
> with freeradius with EAP-TLS. I made my set of certificates (from this
> site http://www.linuxjournal.com/node/8095/print)

  Why?  If you just start the server in debugging mode after you first
install it, it will create temporary certificates for you.  The
radb/certs directory also has Makefiles and OpenSSL configuration files
that allow you to easily create certificates.

  Did you not see them when you edited the RADIUS configuration?

  Did you not see the *DOCUMENTATION* saying that this happened when you
edited the "tls" section of "eap.conf" ?

> When I try to connect with freeradius my log is this: (it's too long 
> because I see the same request again and again)
...
> Sending Access-Challenge of id 171 to 10.0.0.1 port 3072
>EAP-Message = 0x0108000a0d80
>Message-Authenticator = 0x
>State = 0x2f6428b72c6c25c07b0fb3246e0f1a2d
> Finished request 12.
> Going to the next request
> Waking up in 0.8 seconds.
> Cleaning up request 0 ID 159 with timestamp +21

  Yes.  This is a common problem.  The discussion of the cause, and how
to fix it, is in the FAQ, and in the comments in eap.conf.

  Where should we put documentation so that you will READ it?
Apparently including it with the server doesn't help.


> I've tried with AP Mikrotiks too and I got the same error, I think
> freeradius is waiting for the request from client and this doesn't back
> never, but I'm not sure.

  The reason is documented.  Lots.

  I've never been able to understand why people spend huge amounts of
time working with third-party web sites and guides that are YEARS out of
date, when they could just read the documentation included with the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

problem with eap-tls between FR and XP client

2009-05-06 Thread bLn 

hi forum,

I'm trying to connect a Windows XP client (also I'm trying with Vista) 
with freeradius with EAP-TLS. I made my set of certificates (from this 
site http://www.linuxjournal.com/node/8095/print) and now, I have: CA, 
radius_cert.pem, radius_key.pem, radius_keycert.pemradius_req.pem, 
cliente_cert.p12, cliente_key.pem, cliente_cert.pem, cliente_req.pem, 
dh, random, xpextensions, xpclient_ext, xpserver_ext


I've configured eap.conf of this way:

tls {
   certdir = ${confdir}/certs2
   cadir = ${confdir}/certs2
   private_key_password = ***
   private_key_file = ${certdir}/radius_keycert.pem
   certificate_file = ${certdir}/radius_keycert.pem
   CA_file = ${cadir}/cacert.pem
   dh_file = ${certdir}/dh
   random_file = ${certdir}/random
   cipher_list = "DEFAULT"
   make_cert_command = "${certdir}/bootstrap"


And I've installed my cacert.pem and cliente_cert.p12 into mmc into 
Trusted Root Certification Authorities and Personal - certificates, 
respectively.


When I try to connect with freeradius my log is this: (it's too long  
because I see the same request again and again)



rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=159, 
length=199

   User-Name = "carlosg...@realmprueba.com"
   NAS-IP-Address = 10.0.0.1
   NAS-Port = 0
   Called-Station-Id = "00116b3f0ce5"
   Calling-Station-Id = "00215d9ade9a"
   NAS-Identifier = "Realtek Access Point. 8181"
   Framed-MTU = 1400
   NAS-Port-Type = Wireless-802.11
   Service-Type = Framed-User
   Connect-Info = "CONNECT 11Mbps 802.11b"
   EAP-Message = 0x021a016361726c6f7367617269407769746563682e636f6d
   Message-Authenticator = 0xc6247c05f7aae962aecbc459c9416907
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "realmprueba.com" for User-Name = 
"carlosg...@realmprueba.com"

[suffix] Found realm "realmprueba.com"
[suffix] Adding Realm = "realmprueba.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[sql]   expand: %{User-Name} -> carlosg...@realmprueba.com
[sql] sql_set_user escaped user --> 'carlosg...@realmprueba.com'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER 
BY id -> SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = 
'carlosg...@realmprueba.com'   ORDER BY id

[sql] User found in radcheck table
[sql]   expand: SELECT groupname   FROM usergroup   
WHERE username = '%{SQL-User-Name}'   ORDER BY id -> SELECT 
groupname   FROM usergroup   WHERE username = 
'carlosg...@realmprueba.com'   ORDER BY id
[sql]   expand: SELECT id, groupname, attribute,   Value, 
op   FROM radgroupcheck   WHERE groupname = 
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname, 
attribute,   Value, op   FROM radgroupcheck   
WHERE groupname = 'Navega Mes'   ORDER BY id

[sql] User found in group Navega Mes
[sql]   expand: SELECT id, groupname, attribute, value, op   
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'   
ORDER BY id -> SELECT id, groupname, attribute, value, op   FROM 
radgroupreply   WHERE groupname = 'Navega Mes'   ORDER BY id

rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 159 to 10.0.0.1 port 3072
   EAP-Message = 0x010100060d20
   Message-Authenticator = 0x
   State = 0x84a02e6384a123686383961ecc8fb910
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=160, 
length=191

   User-Name = "carlosg...@realmprueba.com"
   NAS-IP-Address = 10.0.0.1
   NAS-Port = 0
   Called-Station-Id = "00116b3f0ce5"
   Calling-Station-Id = "00215d9ade9a"
   NAS-Identifier = "Realtek Access Point. 8181"
   NAS-Port-Type = Wireless-802.11
   Service-Type = Framed-User
   Connect-Info = "CONNECT 11Mbps 802.11b"
   EAP-Message = 0x020100060319
   State = 0x84a02e6384a123686383961ecc8fb910
   Message-Authenticator = 0xe9335e399fadf61413fddd7e717c778f
+- entering group authorize {...