Alvin Fernando <[EMAIL PROTECTED]> wrote:
> The supplicant fails to authenticate
> and i see following debug messages repeat in the log.
>
> rlm_eap: processing type tls
> rlm_ap: list_clean deleted one item
Those messages have nothing to do with the authentication failure.
Read the OTHER mes
[EMAIL PROTECTED] wrote:
> Authentication method is EAP-TLS. After (I suppose) successful
> generation of root, server and client certifcates I get
> the following output from FreeRADIUS.
> What does this mean?
...
> rlm_eap_tls: SSL_read Error
...
> SSL Error . 2
It means that SSL wants mo
[EMAIL PROTECTED] wrote:
> during client authentication process FreeRadius (0.9.1) reports
> the attached messages.
>
> Here I see two problems:
>
> TLS_accept:error in SSLv3 read client certificate A
> rlm_eap_tls: SSL_read Error
That isn't much of a problem. It's fixed in the latest CVS sna
This problem is due to CA.root CA.svr CA.clt script
that use password "whatever" that can be confused
with the other password (secrets) that you input
during Cert. creation.
So on configuration of tour tls module put
"whatever" as password, and see the result.
AMY
- Original Message
"Matteo Bertato" <[EMAIL PROTECTED]> wrote:
> 20473:error:0906D06C:PEM routines:PEM_read_bio:no start =
> line:pem_lib.c:632:Expecting: CERTIFICATE
...
> rlm_eap_tls: Error reading private key file
...
> All what kind of error is it?
It can't read the private key file? Maybe it got corrupted.
Yes,
I agree with you, the problem comes from My AP.
Thank you for these precisions
I am actually contacting Intel and I 'll share with you feedback.
Anyway If anybody have some tips and feedback about using Intel Pro
Wirelless 5000
Alan DeKok wrote:
I'm willing to change the code in
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
> I think I have some misgonfiguration but, to my point of view it comes
> from free-redius configuration .
I doubt that very much.
> Freeradius :
> 1. AP -> freeradius ACCESS REQUEST (1) : EAP message type iddentity
>2. freeradius -> AP
Jason Haar <[EMAIL PROTECTED]> wrote:
> The only way I've found to get it to work is to manually
...
> There must be a cleaner way... Besides moving to another distro ;-)
Find out what is in 0.9.7b, which isn't in 0.9.6, and create patches
for FreeRADIUS to work with 0.9.6.
The server can get
Alan DeKok wrote:
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
Sorry, me again .
I think I have some misgonfiguration but, to my point of view it comes
from free-redius configuration .
But I haven't found were...
I check dialog differences between Freeradius and IAS in my case using
ethere
On Thu, Aug 28, 2003 at 01:16:18AM +1000, Paul Hampson wrote:
> Was this because you linked against one, but tried to run against
> the other, or is there a problem between OpenSSL 0.9.6 and FreeRADIUS's
> EAP-TLS?
This wouldn't be a Redhat machine would it?
For better or worse, Redhat still insi
pankaj Goel <[EMAIL PROTECTED]> wrote:
> Yeah it makes sense, but I am using the same
> compilation and run-time varibales for both the 0.8.1
> and cvs version like
> LD_LIBRAY_PATH=/usr/local/openssl/lib
>
> THe following libs are inluded when i do a
>
> ldd /usr/local/sbin/radiusd
> /lib/libss
--- Paul Hampson <[EMAIL PROTECTED]> wrote:
> > From: Fabrice Beauvir
> > Sent: Thursday, 28 August 2003 12:47 AM
>
> > pankaj Goel wrote:
> >
> > >TLS_accept: before/accept initialization
> > >Segmentation fault
>
> > I got the same thing with using wrong libcrypto
> (0.9.6 instead 0.9.7)
> >
> From: Fabrice Beauvir
> Sent: Thursday, 28 August 2003 12:47 AM
> pankaj Goel wrote:
>
> >TLS_accept: before/accept initialization
> >Segmentation fault
> I got the same thing with using wrong libcrypto (0.9.6 instead 0.9.7)
> shared library.
> Check your LD_LIBRARY_PATH
Was this becaus
pankaj Goel wrote:
TLS_accept: before/accept initialization
Segmentation fault
I got the same thing with using wrong libcrypto (0.9.6 instead 0.9.7)
shared library.
Check your LD_LIBRARY_PATH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
> So,
> is the misconfiguration is due to the fact that my clients are MS type
> (Windows 2000 and XP) and not the radius server nor my certificates are
> wrong ?
No. As I said, the problem is that the AP is receiving an
Access-Challenge packet from
Alan DeKok wrote:
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
You've managed to convince the server to send packets to itself.
That's quite a feat.
No 192.168.6.73 is my AP ..
So sorry, It's my duty fault , it my client throught the AP .
Then the AP is bouncing the Access-Chall
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
> > You've managed to convince the server to send packets to itself.
> >That's quite a feat.
>
> No 192.168.6.73 is my AP ..
Then the AP is bouncing the Access-Challenge packet back to
the server.
The AP SHOULD NOT be sending Access-Challenges to
Alan DeKok wrote:
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
after generating and installing freeradius, generating and installing
certificates on server and client , I tried to initiate an EAP/TLS
negociation but negocation failed after the 2nd frame :
"rad_recv: Access-Challenge packet
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
>after generating and installing freeradius, generating and installing
> certificates on server and client , I tried to initiate an EAP/TLS
> negociation but negocation failed after the 2nd frame :
>
> "rad_recv: Access-Challenge packet from host
Hi,
Follow the steps of this articule abaut dinamic libraries
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
good luck
omar.
wen-hong wrote:
> Fri Aug 8 14:13:30 2003 : Info: Using deprecated naslist file. Support
> for this will go away soon.
> Fri Aug 8 14:13:30 2003 : Info: Using de
you can DEFINITLY use openssl in order to produce valid certificates,
both for windows AND freeradius (which uses openssl).
the certification path is not valid probably because the root
certificate which you installed under windows expired.
ciao
artur
Antti Mattila wrote:
I tried certificates
>you can DEFINITLY use openssl in order to produce valid certificates,
>both for windows AND freeradius (which uses openssl).
>
>the certification path is not valid probably because the root
>certificate which you installed under windows expired.
>
>
>ciao
>artur
I know that many people have ma
that's why i'm trying to reassure you. it probably has nothing to do
with the version of openssl. every suite has to produce compliant
certificates. the certificate format is mandated by its form.
just verify all the certificates you installed. it's a small error
somewhere.
ciao
artur
Antti
"Jason Coutermarsh" <[EMAIL PROTECTED]> wrote:
> I apologize if I'm jumping the gun on something
> that's currently being worked on, since I am using the CVS build.
No, the problem is that the EAP-TLS module is still a little
experimental.
Try grabbing the latest version from anonymous CVS no
Artur Hecker <[EMAIL PROTECTED]> wrote:
> i think that what you receive at your radius server is nor the EAP
> Identity neither EAP Start, apparently it is a Notification message. The
> AP sends notifications to your Radius server, and the latter tries to
> send challenges back (to Alan, WHY?)
F
"Antti Mattila" <[EMAIL PROTECTED]> wrote:
> I thought about not posting the conf files but you have previously been
> rude to people that have not posted them.
I would rather have too much information than too little, which is
why I didn't mind that you had given the information. I just believ
try to check if your certificates are ok. under windows try to disable
"check server certificate" for testing.
ciao
artur
Jason Coutermarsh wrote:
I'm using the latest CVS build. The great news is that the new State
changes are working correctly with my Netgear ME103! Now I'm having
another, hope
"Antti Mattila" <[EMAIL PROTECTED]> wrote:
> When accessing the Radius with w2k Orinoco supplicant I see an error on
> Freeradius (using -X -A)
>
> modcall: entering group authenticate
> rlm_eap: EAP packet type notification id 7 length 9
> rlm_eap: EAP Start not found
Does it say it's an e
hi Alan
Alan DeKok wrote:
>
> Artur Hecker <[EMAIL PROTECTED]> wrote:
> > i think that what you receive at your radius server is nor the EAP
> > Identity neither EAP Start, apparently it is a Notification message. The
> > AP sends notifications to your Radius server, and the latter tries to
> >
> On my AP there is:
> Access requests: 2
> Access Retransmissions: 6
> Timeouts: 8
apparently, your AP thinks that it never got answers back. why? be sure,
the message sent by the server arrives at the AP and is recognized as an
answer. you can do so by using other auth types for debugging purpos
I am using Orinoco AP-2000 (with 2.3.1 firmware).
Has anyone got it working with Freeradius? I mean judging by the
Artur's comments it sends notifications
and it should send EAP/Identity or EAPOL Start. Is this Access Point's
fault or Freeradius fault?
I mean I have Freeradius and AP running and
hi Antti
i think that what you receive at your radius server is nor the EAP
Identity neither EAP Start, apparently it is a Notification message. The
AP sends notifications to your Radius server, and the latter tries to
send challenges back (to Alan, WHY?)
the notifications remain exactly the sam
To Alan DeKok:
I'm sorry. I thought about sending the files as attachement but it is
not seen as a accepted thing to do generally. I tried putting the .conf
files to one message but the e-mail client didn't allow it.
I thought about not posting the conf files but you have previously been
rude to
On Wed, 30 Jul 2003, Luca Benassi wrote:
> On Wed, 30 Jul 2003, Alan DeKok wrote:
> > Luca Benassi <[EMAIL PROTECTED]> wrote:
> > > eap-tls works fine but I need to use LDAP.
> >
> > For what? Are you willing to say what you're trying to do, and why?
>
> No problem ... :)
>
> I want to secure a
On Wed, 30 Jul 2003, Alan DeKok wrote:
> Luca Benassi <[EMAIL PROTECTED]> wrote:
> > eap-tls works fine but I need to use LDAP.
>
> For what? Are you willing to say what you're trying to do, and why?
No problem ... :)
I want to secure a 802.11 lan using eap-tls and authenticating on an ldap
s
Luca Benassi <[EMAIL PROTECTED]> wrote:
> eap-tls works fine but I need to use LDAP.
For what? Are you willing to say what you're trying to do, and why?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jonny Karlsson <[EMAIL PROTECTED]> wrote:
> Has anyone got eap/tls authentication working with smartcards?
I've had it working, but not with smartcards.
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> TLS_accept: SSLv3 read client key exchange A
> rlm_eap_tls: <<< TLS 1.
Francisco Javier Martinez Martinez <[EMAIL PROTECTED]> wrote:
> Anyone knows if it is possible to deploy the following scenario?
>
> Supplicant: XP Client, with an Cisco Wireless Card and a certificate made
> with OpenSSL commands,
I've been using it for the past while, it works fine.
> The pr
Hi,
I have followed that instruccions and all goes perfectly.
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
I installed in Debian 3.0 r1
good luck.
Omar
Jonny Karlsson IT 00 wrote:
Hello!
Does anyone know how to implement eap/tls on Freeradius-0.9.0? I have
tried older versions alls
Jonny Karlsson IT 00 <[EMAIL PROTECTED]> wrote:
> Does anyone know how to implement eap/tls on Freeradius-0.9.0? I have
> tried older versions allso but I allways get the same error message when
> starting the radiusd server: "rlm_eap: Failed to link EAP-Type/tls: file
> not found".
That sounds
Michael Griego wrote:
Based on how far the process is getting, I bet your problem is easy. On
the client (XP), did you add the CA certificate to the Trusted Root
Store and choose that CA under the Authentication tab of the wireless
adapter setup? If not, have you turned off the SysTray Icon for
On Sun, 2003-07-20 at 08:19, Alan DeKok wrote:
> diomedes <[EMAIL PROTECTED]> wrote:
> > And i have seen that in my case, when the client has to send his
> > certificate (4=BA request), it doesn't send it, he start again with the
> > protocol ( it sends again the first request).
> > This is repeate
diomedes <[EMAIL PROTECTED]> wrote:
> And i have seen that in my case, when the client has to send his
> certificate (4=BA request), it doesn't send it, he start again with the
> protocol ( it sends again the first request).
> This is repeated all the time until you disconect it.
>
> Is there any
Alan DeKok wrote:
=?ISO-8859-1?Q?Beno=EEt_B=E9cel?= <[EMAIL PROTECTED]> wrote:
Can we use EAP-TLS authentication on FreeRadius with the certificates in
a LDAP server ?
I don't believe so.
And more, I would like to get the VLANID for the user by LDAP (for the
Tunnel-Private-Group-Id
Hi,
I have almost managed to install the EAP/TLS authentication with my AP DWL
AP 1000 + but I have still a problem
in my freeRadius configuration.
I got the following error message :
" ...Error : rlm_eap_tls : conf N ctx stored ..."
What does it means ?
Thanks a lot for your help
Best regard
-
From: "王志欣" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 23, 2003 12:00 AM
Subject: Re: Re: Re: EAP/TLS Setup problem
Hi Jean-Guillaume,
Sorry for delay.
I look through your script. Only difference between us is I only use
OpenSSL-0.9.7b. Please c
---
>
>Thanks a lot for your help.
>
>Best Regards
>
>Jean-Guillaume
>
>
>
>- Original Message -
>From: "王志欣" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Friday, June 20, 2003 3:22 A
-Guillaume
- Original Message -
From: "王志欣" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 20, 2003 3:22 AM
Subject: Re: Re: EAP/TLS Setup problem
Hi Jean-Guillaume,
I also follow this guide. I succeed. Please post your log information.
Hi Jean-Guillaume,
I also follow this guide. I succeed. Please post your log information.
Jeson
[EMAIL PROTECTED]
2003-06-20
>Hi Umesh,
>
>I am trying to install a freeradius/EAP-TLS athentification for my wireless
>network (DWL 1000 AP +) by following the i
Hi Umesh,
I am trying to install a freeradius/EAP-TLS athentification for my wireless
network (DWL 1000 AP +) by following the instructions at
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, but
I don't manage to create correctly the certificate ...
(I use openssl-0.9.7b)
How do you manag
On Mon, Jun 02, 2003 at 07:51:56AM -0700, Sepp Rudel wrote:
> Hi,
>
> I've configured FreeRADIUS 0.8.1+OpenSSL 0.9.7b, Cisco
> AP 350 and a laptop with Linux+xsupplicant and
> WinXP+SP1.. With Linux+xsupplicant everything works
> like a charm but with WinXPSP1 after radiusd sends
> Access-Accept W
"George R. Ellis" <[EMAIL PROTECTED]> wrote:
> The malloc() in eap_tls.c:501 behaves differently on FreeBSD 5.0 than on
> Linux (RH 8.0) when (reply->length - TLS_HEADER_LEN) is zero. Under
> FreeBSD I end up with a bad address, thus a segmentation fault.
Ok...
> This seems to be the problem so
> From: Jeffery Huang
>
> Here I have successed to run freeradius on mips
> platform. But it seems cannot process eap-tls transaction. I
> use the same server cert, key, cacert, client cert, client
> key on X86 and mips. But X86 can accept the transaction and
> mips cannot. And show the fo
Hi,
I had this problem once, but I can't
remember how I did fix it. All I remember is that it comes from openssl.
Check if you have the right links between libcrypto.so,libcrypto.so.0 and
libcrypto.so.0.9.7 and also between libssl.so libssl.so.0 and libssl.so.0.9.7
I also advice oyu to install
Frederic Jacquet wrote:
Hello
try to remove every text before -BEGIN... and END CERTIFICATE - as the logs tell you
Didn't really help. And now I am not sure if the radiusd needs the
private key for server.pem, and for that matter root.pem.
Does anyone know?
Cheers
My 2 eurocent
> From: Manuel Sánchez Cuenca
>
> Hello, it is possible to create a eaptls connection with a
> client without a client certificate??
The EAP-TLS RFC allows this (if and only if the client is
authenticated by means other than TLS). However, the FreeRADIUS
implementation requires mutual TLS-authen
Hello
try to remove every text before -BEGIN... and END CERTIFICATE - as the
logs tell you
My 2 eurocents
Fred
--
Selon Project Manager <[EMAIL PROTECTED]>:
> Hi all,
>
> I've been getting mad with setting up Freeradius for EAP/TLS. Mainly the
> problems seem with OpenSSL.
>
hi jason
sub-CA's are covered by the standard CRL - they can be revoked by the
top-level CA. However, nothing can revoke the top-level CA.
once again: in the case of cross certification the other CA can.
Already covered. The CRL itself defines how long it's valid for. run:
openssl crl -in file.
I'm wondering if microsoft has released the EAP client for win98 ?
Last I read, this was not yet released, and when it would be, one
would have to pay for this software, unlike win2k, and winXP.
Anyone have any recent info ?
thanks in advance
L. Jacob wrote:
Alan,
Thank-you for the response,
Hi,
you were so right... and I am so blind...
Artur Hecker wrote:
hi
Thanks to the EAP/TLS Howto, I was able to setup the radius server
and get all the authentification I needed going.
Now the script, which creates the root certificate, generates
root.pem with a lifetime of 30 days.
After th
Thanks Artur,
hopefully, you can help me with a couple of things here:
When the 'root' certificate runs out, what should / can I do?
- it looks like I can not extend it's lifetime?
- will a re-creation invalid the client certificates? Does a
distribution of the root.der file have to be "safe"?
On Thu, Mar 20, 2003 at 02:07:03PM +0100, Artur Hecker wrote:
> anyway, put aside all this chicken/egg stuff, there can be no doubt
> about it: theoretically, the cert of the CA has to be checked for
> revocation too. consider e.g. hierarchical CA structures or the
> mentioned cross certificatio
"L. Jacob" <[EMAIL PROTECTED]>wrote:
> I am suprised, however, I thought if FreeRADIUS loads EAP (both md5 and
> tls modules) correctly, and in the "users" file if a user specifies
> something like:
>
> adam-ctl Auth-Type := EAP
>
> I thought it would override the default "system" and tell
of course it works!!!
the authorization section will describe which authentication method to
use. AuthType := System is perfect (personally i would take Local,
sounds more logical to me :)) as long as you have some authorization
section module telling to use something different. For EAP such a
hi
Well it actually doesn't have to. Go get yorself a cert from Verisign - note
how there's no mention of a CRL in it
well, if you use CRLs, it should. that what i meant. verisign does not
use it, that's the whole point. probably, because nobody knows exactly
how to use it in the first plac
Alan,
Thank-you for the response, I've taken your advice and searched for
Auth-Type := System (in file "users"). I have changed the default
Auth-Type := System to Auth-Type =: EAP.
I am suprised, however, I thought if FreeRADIUS loads EAP (both md5 and
tls modules) correctly, and in the "user
"L. Jacob" <[EMAIL PROTECTED]> wrote:
> The FreeRADIUS server itself IS loading TLS module, yet is using
> "Auth-Type System" (further down in the output) is this right? Shouldn't
> it be using "Auth-Type EAP"?
Not if you told it to use Auth-Type := System, which is the way it
comes by default
On Wed, Mar 19, 2003 at 06:53:28PM +0100, Artur Hecker wrote:
> in fact, the latter is the only real alternative because the certificate
> *has* to point to its proper CRL. also the CRL has to be dated and
> signed by the CA. except, the certificate of the CA itself has to be
> valid too (not ex
Thanks Artur,
Artur Hecker wrote:
hi
Thanks to the EAP/TLS Howto, I was able to setup the radius server
and get all the authentification I needed going.
Now the script, which creates the root certificate, generates
root.pem with a lifetime of 30 days.
After that authentification doesn't work,
hi
Look at mod_ssl for Apache, and the smime component of openssl - both do CRL
checking.
i actually meant 802.1X clients but thanks for this info.
To get you started: CRL are dealt with by manually downloading the .crl and
referring to it by filename under Apache (works really well), and
crlDi
hi
Thanks to the EAP/TLS Howto, I was able to setup the radius server and
get all the authentification I needed going.
Now the script, which creates the root certificate, generates root.pem
with a lifetime of 30 days.
After that authentification doesn't work, OK. Last month I recreated
everyth
On Wed, Mar 12, 2003 at 06:28:48PM +0100, Artur Hecker wrote:
> you will have to add code.
>
> a propos, do you know ANY existing piece of software which checks the CRLs?
>
Look at mod_ssl for Apache, and the smime component of openssl - both do CRL
checking.
To get you started: CRL are dealt w
hi
> hi
>
>
> > I'm using FreeRADIUS and OpenSSL for EAP-TLS authentication. It's
working
> > correctly, but I don't know how to configure FreeRADIUS to enable CRL
> > (Certificate Revocation List).
>
> i think it's not possible for the moment.
>
>
> > I make a client's certificate signed by CA an
hi
I'm using FreeRADIUS and OpenSSL for EAP-TLS authentication. It's working
correctly, but I don't know how to configure FreeRADIUS to enable CRL
(Certificate Revocation List).
i think it's not possible for the moment.
I make a client's certificate signed by CA and this client can loggin. But
> you *should* have at least devel version of 0.9.7beta. former it always
> was the newer the better.
Looking at openssl.org there actually is a 0.9.7a which is a follow-up to
0.9.7. I believe that that is what I have installed.
> perhaps you should regenerate your Certificates using the same Op
hi
Yes, that would be the right thing to do. Unfortunately, I'm not certain I
can get those RPM's again. I think I'm going to have to get it working with
the current versions.
as you want. i'm sure, the version exists somewhere at openssl.org (no
rpm but the sources).
For more background, I
> From: "Artur Hecker" <[EMAIL PROTECTED]>
> the evident decision would be to downgrade to the earlier version.
>
Yes, that would be the right thing to do. Unfortunately, I'm not certain I
can get those RPM's again. I think I'm going to have to get it working with
the current versions.
> but the
the evident decision would be to downgrade to the earlier version.
but the background would be interesting. what does it say? it should
work with newer versions.
ciao
artur
> [EMAIL PROTECTED] wrote:
>
> Hello,
>
> I had EAP-TLS working perfectly, but somehow managed to break it. I'm
> hop
hi dmitri
May I post to you my certs in your private mail??
i don't think that it will change anything. if you produced the
certificates with the scripts of adam, they are probably alright and
similar to all the others (for winxp add the extensions needed - see the
eap/tls howtos by ken rosner
Hi Artur
> i'm not familar with xsupplicant, sorry. i hope you added the client
> certificate WITH private key somewhere. what's this key field?
> shouldn't it be the key of the private key of the client certificate?
May I post to you my certs in your private mail??
> > at system console typing
hi
For client authorization I use xsupplicant - http://www.open1x.org/
xsupplicat config file
MegaWiFi:id = radiotest
MegaWiFi:cert = radiotest.der
MegaWiFi:key = radiotest.pem
MegaWiFi:root = root.pem
MegaWiFi:auth = EAP
MegaWiFi:type = wireless
from root.pem I remove private key
i'm not famila
Hi Artur
> you need exactly the following:
>
> > cert-clt.p12
> > cert-srv.pem
> > root.pem
For client authorization I use xsupplicant - http://www.open1x.org/
xsupplicat config file
MegaWiFi:id = radiotest
MegaWiFi:cert = radiotest.der
MegaWiFi:key = radiotest.pem
MegaWiFi:root = root.pem
Meg
hi
you need exactly the following:
> cert-clt.p12
> cert-srv.pem
> root.pem
and no private key should be in root.pem (though it doesn't matter now)
> Radiusd.conf
>
> CA_file = ${confdir}/eap-test/root.pem
this should point to root.pem from above and the root.pem should contain
public key (
Hi Artur
> > rlm_eap_tls: Length Included
> > <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> > ^^^
>
> die you add the certificate of the CA which signed and issued the user
> certificate into root.pem and configured it to be the CA file in
>
hi
> rlm_eap_tls: Length Included
> <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> ^^^
die you add the certificate of the CA which signed and issued the user
certificate into root.pem and configured it to be the CA file in
radiusd.conf?
ciao
if i understand correctly, you only want to authenticate the
network-side but not the client side.
i don't think that is possible for the simple reason: in 802.1X in some
cases it would result in no authentication at all. client can not be
forced to verify presented server certificate (as you kno
hi
excuse my question, my did you or did you not put the autosigned CA
certificate of the CA which issues/signs the client certificate in the
root.pem file of your freeradius server?
ciao
artur
wsy wrote:
>
> Dear all,
>
> This question is about implementing a WLAN environment which supports
I think mine came from openssl-SNAP-20021027.tar.gz
I got this file from http://www.missl.cs.umd.edu/wireless/eaptls/.
David Baer wrote:
I'm setting up FreeRadius to work with Windows XP. I'm following the howto by
Raymond McKay (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm).
hi
it is CERTAIN that it won't work and you can get the newest 0.9.8 beta
at openssl.org in the CVS tree.
if this machine is used for production purposes etc. and uses openssl
for internal security, you should consider installing 0.9.8 parallel to
the older (stable) version you have.
ciao
artu
hi
the thread name is actually wrong since this is not a problem in
EAP-TLS.
> I have a wireless network with cisco aironet 350 AP and a cisco card
> and I use win xp as
> supplicant.
> If I don't use (in win XP) the "the key is provided for me
> automatically" it's all ok.
nice, so EAP-TLS i
you don't need x99 token.
go in the src/modules directory, locate the "stable" file and throw it
out of the list.
ciao
artur
Nikhil Chauhan wrote:
>
> Hi Artur:
>
> Thanks for your suggestions. I heartly appreciate
> them.
>
> The problem with SSL_set_msg_callback seems to be
> fixed now.
Hi All:
The solution...
* Clean-up all prior versions of freeRADIUS and
openSSL
* Install the latest BETA version of openssl
(0.9.7-beta4)
* Download latest version of freeRADIUS(0.8)
* Run ./configure under freeRADIUS root directory
* Do necessary changes in the Makefile under
rlm_eap_tls di
Hi Artur:
Thanks for your suggestions. I heartly appreciate
them.
The problem with SSL_set_msg_callback seems to be
fixed now. I installed the latest Beta version of the
openssl and /usr/local/lib/ldd rlm_eap_tls-0.7-pre.so
seems to give me libraries from this version of
openssl. I tried again w
nikhil:
as i already said to you:
- upgrade to the newest version, why do you still use the 0.7.1?
- assure that the "old" openssl is not involved into the compilation
your problem is evidently that the rlm_eap_tls used by freeradius is
compiled to use the old openssl OR it uses this for unclea
Hi:
Any more pointers on the same subject(please look at
the email thread) would be highly appreciated. My
radius log looks like this:
root@tstpc11:/usr/sbin > run_radius -X -A > radius_log
+ LD_LIBRARY_PATH=/usr/local/openssl/lib
+ LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
+ export LD_LIBR
Hi Artur:
My
"freeradius-0.7.1/src/modules/rlm_eap/types/rlm_eap_tls/Makefile"
looks like the following:
===
# Generated automatically from Makefile.in by
configure.
TARGET = rlm_eap_tls
SRCS= rlm_eap_tls.c eap_tls.c cb.c tls.c
mppe_key
hi Nikhil
in my case i have:
radius:/usr/local/lib# ldd rlm_eap_tls-0.8-pre.so
libnsl.so.1 => /lib/libnsl.so.1 (0x400df000)
libresolv.so.2 => /lib/libresolv.so.2 (0x400f3000)
libpthread.so.0 => /lib/libpthread.so.0 (0x40104000)
libc.so.6 => /lib/libc.so.6 (0x40118
My radius_run script-file has the following paths:
LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
I tried to add /usr/local/openssl before /usr/local in the /etc/ld.so.conf.
It still picks up utilities from /usr/local/openssl/lib/ ;-(
Artur Hecker <[EMAIL P
ah yes, you are right.
which pathes do you have in your makefile?
of openssl which are in /usr/local/openssl/lib/. Am I correct? If so,
which file do
yepp, definitely.
you could also try to alter your ld.config in /etc and add the new
pathes before the old ones, just for the test. later, if
check the rights, it could be that the server can't reach the libs when
started as nobody.
ah, and consider updating.
--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www
1 - 100 of 151 matches
Mail list logo