-->Please suggest any document which can help in better understanding on
TLS Authentication.
Arvind, I also faced the same issue at beginning , but I would suggest to
read Freeradius own documentation. That is probably the best.
On Mon, Sep 23, 2013 at 7:45 PM, arvind132 . wrote:
> Hi,
> I am
Thanks Martin,
I had already changed this in the config, but it lead me to the real issue
which was that I'd added a "eap inner-eap" section to my eap.conf, but I
also had a modules/inner-eap file from the default config. When I removed
modules/inner-eap file it all works fine.
Thanks again,
John
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote:
> I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0.
> EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it
> doesn't.
Hi.
make fragment_size in modules/inner-eap smaller then fragment_size in eap.
Hi All,
Just to let you all know I did get all my setup working (took me a while being
not a linux guru) but it does work as expected. Just in case anyone was
wondering :)
Many thanks all
Ken
:)
On 29 August 2013 at 16:05 "ken.farrington" wrote:
> Hi All,
>
> Is there a way if I had 10 cli
On 05/24/2013 09:12 AM, Pieter Hulshoff wrote:
Hello all,
I'm new to the list, relatively new to authentication, and I'm trying to figure
out some details regarding the RFCs. I was hoping some of you might be able
and willing to help me out here.
As I understand it, using TLS you can authentica
On 07/03/13 16:01, Bertalan Voros wrote:
Has anyone seen this before?
I see all kinds of weirdness from clients.
Fundamentally, the problem is at the client - it didn't send a
certificate - so you need to troubleshoot it there.
-
List info/subscribe/unsubscribe? See http://www.freeradius.or
Quoting a.l.m.bu...@lboro.ac.uk:
you might want to look into 'eduroam CAT' tool - as your NREN
federation/eduroam people about it.
Thanks very much! I'll look into it.
whoa re your instructions aimed at? I worry a great deal about them
because you arent telling them to install/verify a CA or
Hi,
> Eventually, though, it turned out that the most important issue was
> with OS X 10.7 (Lion). With this particular version of Apple's OS,
yes, I know. Apple suck for doing this. I manage campus network at
Loughborough university and eduroam federation in the UK
and so am well aware of OSX a
Quoting a.l.m.bu...@lboro.ac.uk:
SSL certs can be in various formats. Ones that are 'usable'
depends on the underlying code, but the useful types are
usually PEM, DER (also known as CER) and P12these are
all active certs. CSR is a certificate signing request file
and isn't a valid cert for c
Muhammad Nadeem wrote:
> I suucceed to authenticate the users from a database.
> But when i setup the same setup on another machine, I was failed :(
> The following output is the debug output of the freeradius server. (I
> think EAP NAK,, is creating problems).
Yes. Read the debug output.
> [e
On 02/19/2013 09:16 AM, Muhammad Nadeem wrote:
On 2/19/13, Phil Mayers wrote:
On 19/02/13 09:11, Muhammad Nadeem wrote:
Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the n
On 19/02/13 14:16, Muhammad Nadeem wrote:
[eap] EAP NAK
[eap] NAK asked for bad type 0
You've mis-configured the client. Go back and look at it again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 2/19/13, Phil Mayers wrote:
> On 19/02/13 09:11, Muhammad Nadeem wrote:
>> Hi, everybody
>> I have used pre-shipped certificates of Freeradius for testing
>> purpose. This testing was succeed with a test user 'bob', with files
>> authentication.
>> Now in the next step I wanna authenticate a us
On 19/02/13 09:11, Muhammad Nadeem wrote:
Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates.
On 18/02/13 10:57, Muhammad Nadeem wrote:
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/client.pem"
private_kry="/usr/local/etc/raddb/certs/server.key"
^^^ typo - should be "client.key"
This is basic stuff; please read the docs for wpa_supplicant/eapol_te
Hi,
> > (but this mailing list isnt a support forum for either of those tools!)
I guess you dont read what I post..which means I'm not likely to answer you.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 2/18/13, a.l.m.bu...@lboro.ac.uk wrote:
> Hi,
>
>> Thankfully, this isn't correct. You can use "eapol_test" which comes
>> with the "wpa_supplicant" source to test pretty much every EAP type
>> there is, including EAP-TLS.
>>
>> To the OP - download wpa_supplicant sources and build eapol_test.
On 2/18/13, Phil Mayers wrote:
> On 02/18/2013 06:31 AM, Tobias Hachmer wrote:
>> Hello Muhammad,
>>
>> On 18.02.2013 07:17, Muhammad Nadeem wrote:
>>> Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
>>> have configured eap.confg to use EAP-TLS. But i don't know , how to
>>>
Hi,
> Thankfully, this isn't correct. You can use "eapol_test" which comes
> with the "wpa_supplicant" source to test pretty much every EAP type
> there is, including EAP-TLS.
>
> To the OP - download wpa_supplicant sources and build eapol_test.
eapol_test is VERY powerful.and there are even
On 02/18/2013 06:31 AM, Tobias Hachmer wrote:
Hello Muhammad,
On 18.02.2013 07:17, Muhammad Nadeem wrote:
Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can
Hello Muhammad,
On 18.02.2013 07:17, Muhammad Nadeem wrote:
Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can authenticate the
user using TLS (with digital c
Hi,
> https://wiki.thayer.dartmouth.edu/display/computing/Configuring+an+OS+X+Mac+for+the+Dartmouth+Secure+Wireless+Network
>
> In this example, the users are given a personalized *.cer
> certificate to add to their keychain. Since I don't have any
> client.cer files, I tried this approach with a
Jaap Winius wrote:
> Can anyone say what I should be doing differently? E.g. are *.cer
> certificates mandatory (if so, how can I make them?), or can I not use
> my self-signed certificates?
I'm always use pem or crt files, not *.cer. It works on my Mac.
Alan DeKok.
-
List info/subscribe/uns
Hi,
> official website.
> But i have a problem, when I want to "make eapol_test" it give the
> follwoing error.
> /usr/bin/ld: cannot find -lnl
> collect2: ld returned 1 exit status
> make: *** [eapol_test] Error 1
> Any idea about this error?//
compilation error due to missing libraries.
On 2/15/13, Stefan Winter wrote:
> Hi,
>
>> I have configured freeradius to entertain EAP-TLS requests. And i am
>> using the freeradius certificate (shipped with software). I got stuck
>> at end, now i don't know how to send EAP-TLS request to server.
>> I read man radeapclient, but it only suppo
Hi,
> I have configured freeradius to entertain EAP-TLS requests. And i am
> using the freeradius certificate (shipped with software). I got stuck
> at end, now i don't know how to send EAP-TLS request to server.
> I read man radeapclient, but it only support md5. Could you please
> tell me how co
in users files
- have the "right" certificate
From: a.l.m.bu...@lboro.ac.uk
To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
Date: Fri, 8 Feb 2013 16:20:20 +
As already said, post output of radiusd -X
(th
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
}
It's like when condition is checked, it bypassed "users" file.
Maybe, i must move these lines under authorize ?
anyone to confirm it ?
cheers
> Date: Mon, 4 Feb 2013 10:32:22 -0500
> From: al...@deployingradius.com
> To: freeradius-users@lists.freeradius.o
vazoumana fofana wrote:
> i've got question about EAP/TLS and authentification for a client
> through a certificate ?
> I succeed setting up. But , i notice that freeradius matches client
> login with certificate CNAME.
> Is it possible to change it in order to match email instead of CNAME ?
Yes
Thanks for the additional info on timers.
Here are the values, hope i didn't leave out something. Basically we left
them set to default.
timer expire for eap is 60
cleanup delay is se to 5
reject delay to 1
max request time is 30
uros
On Mon, Nov 26, 2012 at 12:14 PM, alan buxey wrote:
> Hi,
Hi,
>I've interrupted the test after the described process was allready going
>on for 2 min.
>
>Don't know exactly what timers you mean. I checked time setings on
>servers. NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to
>GMT. Please correct me if that's not w
Hi,
I've interrupted the test after the described process was allready going on
for 2 min.
Don't know exactly what timers you mean. I checked time setings on servers.
NAS has GMT+1 and FreeRADIUS server UTC. Will change NAS time to GMT.
Please correct me if that's not what you meant.
On Mon, No
Hi,
>The results are really interesting and not expected.
how long does the process take? what are your NAS timers and FreeRADIUS timers?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil, thank you for your reply!
I've tried to debug as you suggest. I run wireshark on the remote side +
tcpdump on the server side.
The results are really interesting and not expected.
As the client is disconnected, it sends an auth request to the server.
Server gets the request and after a suc
On 20/11/12 12:38, Swaraj wrote:
Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
That's very odd. It looks like a problem with OpenSSL - maybe
endian-ness or something?
I created certificates with the fo
On 20/11/12 13:26, Alan DeKok wrote:
Swaraj wrote:
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.
The client is broken. It's not doing SSL correctly.
Swaraj wrote:
> I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
> (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
> server I am receiving the following errors.
The client is broken. It's not doing SSL correctly.
> Do we require different certificat
On 11/19/2012 08:23 AM, PENZ Robert wrote:
My first question is, how can I decode a EAP-Message from the debug
Wireshark, or read the EAP RFC and decode it manually (see below)
log to check if the request is itself ok. Here is first packet from
No, this is *not* the first packet, because i
Phil Mayers schrieb:
Is it possible your wireless networking equipment is mangling the
hostnames? Which vendor are you using?
Mhh, I can check that again, it's an old Linksys-AP. I'll see if that
happens also with the other more professional hardware we have.
Have you verified that you really
On 12/10/12 13:59, Alexandros Gougousoudis wrote:
Hi David,
David Mitton schrieb:
If the OP is observing such behavior, he needs to figure out why (what
turned it on, is it consistent or the same for all users) and work
with that.
It is consistent for all machines in the network. To figure ou
On 12/10/12 13:48, David Mitton wrote:
The behavior _is_ configurable, but as you have observed for your
particular network, the default is not to attempt machine auth. It is
configurable on a per-network connection basis, I'm getting fuzzy on if
it's adapter or SSID based.
No, you've misunde
Hi David,
David Mitton schrieb:
If the OP is observing such behavior, he needs to figure out why (what
turned it on, is it consistent or the same for all users) and work
with that.
It is consistent for all machines in the network. To figure out why this
happend, is exactly what I want to do.
The behavior _is_ configurable, but as you have observed for your
particular network, the default is not to attempt machine auth. It
is configurable on a per-network connection basis, I'm getting fuzzy
on if it's adapter or SSID based.
If the OP is observing such behavior, he needs to fig
Hi,
Phil Mayers schrieb:
We don't see that behaviour. We consistently see "host/". Check you
aren't mangling the hostnames in your FreeRADIUS config.
Strange, but thanks for watching. We're not mangeling anything in FR.
That's what I see, running FR in Debug-Mode. Maybe because we're running
On 10/12/2012 09:59 AM, Alexandros Gougousoudis wrote:
Hi Phil,
Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com
2. On LAN, then send... something else?
Are you sure? We don't see that.
Exactly. On wifi they send
Hi,
> Phil Mayers schrieb:
> >I don't understand - you're saying that, for windows clients:
> >
> > 1. On wi-fi they send host/name.domain.com
> > 2. On LAN, then send... something else?
> >
> >Are you sure? We don't see that.
i agree
> Exactly. On wifi they send
>
>
>
> on LAN they send:
>
On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote:
Hi Alan,
Alan DeKok schrieb:
Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
This is exactly what I want to do! Change the loginname, the clients
send
Hi Phil,
Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com
2. On LAN, then send... something else?
Are you sure? We don't see that.
Exactly. On wifi they send
on LAN they send:
host/
is the Windowshostname fr
Hi Alan,
Alan DeKok schrieb:
Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
This is exactly what I want to do! Change the loginname, the clients
sends to the Authenticater. It's a Windows 802.1x q
Alexandros Gougousoudis wrote:
> That's not clear. Why would that break EAP if the workstations are
> sending a different Login?
You said you wanted to add a string to hostname. Don't do that.
Editing it in FreeRADIUS will break things.
> It already does, depending on LAN or WLAN
> Logins. I d
On 11/10/12 12:43, Alexandros Gougousoudis wrote:
Hi,
we're using FR 2.0 for our machine authentication for XP to Win7 with
EAP-TLS. Everything is working so far, but I noticed a difference
between authenticating via WLAN and LAN, which starts to be a problem
for us now. If I make a auth via LAN
I'm sorry, I don't have time right now to help you, but you are on the
right track. Windows has a feature "Machine Authentication" where the
station authenticates (using the $hostname and a secret credential
created at domain join) with a Domain controller before the user login.
On an hardw
Hi Alan,
thanks for your reply!
Alan DeKok schrieb:
"host/" as a realm for our Radsecproxy, I'd like to change the
behauviour for the authentication via LAN and add a string to the
Don't. You will break EAP.
That's not clear. Why would that break EAP if the workstations are
se
Alexandros Gougousoudis wrote:
> we're using FR 2.0 for our machine authentication for XP to Win7 with
> EAP-TLS. Everything is working so far, but I noticed a difference
> between authenticating via WLAN and LAN, which starts to be a problem
> for us now. If I make a auth via LAN the provided user
Hello,
the MD5 that is used in EAP-MD5 (configured in eap.conf) and the MD5
that is used as a message digest in certificate generation (configured
in the .cnf files you mentioned) have *nothing* to do with each other.
I.e. you can change one without side-effects on the other.
Since there is no E
Benjamin Malynovytch wrote:
> Thank you for your *great* contribution.
You're welcome.
> PS: Do you sometimes read peoples messages or do you just use automatic
> answers ?
I read *everything* on this list.
I generally answer *good* questions. I ignore *bad* questions.
But yes, many a
Dear Alan,
I was wondering how long you would wait to answer me to RTFM !
Thank you for your *great* contribution.
Benjamin.
PS: Do you sometimes read peoples messages or do you just use automatic
answers ?
Le Mon, 25 Jun 2012 14:29:23 +0200, Alan DeKok
a écrit:
Benjamin Malynovyt
Benjamin Malynovytch wrote:
> I read tons of threads where Alan DeKok kept repeating to read his
> website, as well as using default configuration which is know to work.
> I also read that those EAP sessions not finishing where only due to
> certs problems or fragmentation.
> Certs are fine, fragme
Alan,Thank you for your answer.I know you must be right, but I still didn't manage to have it working again.I'm still getting troubles with TLS exchanges and don't know enough of it to be able to debug it.I read tons of threads where Alan DeKok kept repeating to read his website, as well as using
If you haven't touched FR then don't look there as that's not what has changed.
Tour problem has already been identified - the bit that got changed.
No changes should be made on FR or on the clients
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 30/04/12 13:18, jinx_20 wrote:
But I sill cannot understand why FR allowed to connect when I had removed
Sub2_CA certificate from cert store.
Just to emphasise, unless I'm mistaken it is OpenSSL that was validating
or rejecting the cert. The FreeRADIUS "verify" callback doesn't override
t
I think I found a reason. In the root and sub CA certificates there was
*Extended Key Usage* set to "OCSP Signing" what limited using of any user
certificate issued by those CAs to "OCSP Signing" purpose.
/
4.2.1.12. Extended Key Usage
This extension indicates one or more purposes for which the
On 04/30/2012 07:29 AM, jinx_20 wrote:
Phil, can you look at the certs I provided?
They look ok to me. There's no obvious reason they shouldn't verify, and
quick tests as the CLI all passed. Are you sure these are functionally
*identical* to the real ones you're using?
I've checked over th
Phil, can you look at the certs I provided?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675205.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/
Attached you can find Sub2_CA chain and end user certificate issued by Sub2
CA.
jinx
#
End user certificate:
#
Bag Attributes
localKeyID: B8 D0 2D C0 14 F7 6B 88 15 8A 9E FA C4 F8 4E A5 B
On 25/04/12 12:42, jinx_20 wrote:
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on
Feb 2 2012 at 15:38:19
OpenSSL 0.9.8o 01 Jun 2010
I wouldn't like to share our private production certificates but if you
really need it to help us I will set up a mirror testing PKI
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on
Feb 2 2012 at 15:38:19
OpenSSL 0.9.8o 01 Jun 2010
I wouldn't like to share our private production certificates but if you
really need it to help us I will set up a mirror testing PKI environment and
send you all require
2012/4/25 jinx_20
> Ok, to be sure that we understand each other...
>
> My Sub2_CA_entire_chain.pem looks like this:
>
> -BEGIN CERTIFICATE-
> XX
> -END CERTIFICATE-
> -BEGIN CERTIFICATE-
> Y
> -END CERTIFICATE-
>
On 25/04/12 10:39, jinx_20 wrote:
Is there any way to configure FreeRadius server to explicitly accept
intermediate CAs received from the client supplicant?
No, it should not be needed and should work; but there might be a logic
error in the various SSL verify options or callbacks; OpenSSL is
Ok, to be sure that we understand each other...
My Sub2_CA_entire_chain.pem looks like this:
-BEGIN CERTIFICATE-
XX
-END CERTIFICATE-
-BEGIN CERTIFICATE-
Y
-END CERTIFICATE-
-BEGIN CERTIFICATE-
ZZZ
Well, yes, there is. What I meant to say is, you need to set CA to a file
which has all the certificates of the chain: ROOT_CA, Sub1_CA and Sub2_CA.
When speaking to certificate files, I call the concatenated one
"certificate chain file", but it's another concept:
http://publib.boulder.ibm.com/inf
As I mentioned before CA_file in the eap.conf is set to
${cadir}/Sub2_CA_*entire_chain*.pem
Is there any difference between concatenated CA file and certificate chain?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certifi
>
> As soon as I delete Sub2 CA (that is, the CA certificate of the certificate
> authority which issued client's certificate) I am able to connect
> successfully.
>
Does FR know this Sub2 CA? i.e: is CA certificate chain file referenced in
eap.conf?
If not, try to concatenate certificate authorit
On 12/26/2011 02:44 PM, vazoumana fofana wrote:
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap)
with : Auth-Type eap {
if ( "%{TLS-Client-Cert-Subject}" =~ /OU=x/ ) {
reject
}
}.
Firstly, it s' written on "default" file :
/Please do
On Mon, Dec 26, 2011 at 9:44 PM, vazoumana fofana
wrote:
> sorry, i ve got persistents problems :
>
> - i filter client certificate under authenticate section (under eap) with :
> Auth-Type eap {
> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=x/ ) {
>
o avoid request of certain client ?
I restrict authentication request to chooser NAS. I want to avoid clients to
enter loop authentication. But these client can request authentication through
NAS choosen.
Cheers.
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject:
Thanks!!!
> Date: Fri, 23 Dec 2011 16:26:20 +0700
> Subject: Re: eap/tls questions with freeradius
> From: l...@fajar.net
> To: freeradius-users@lists.freeradius.org
>
> On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana
> wrote:
> >
> > Do you know whe
On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana
wrote:
>
> Do you know where i can insert script to add new fonctions like described
> in my previous email ?
> When client sends its certificate , server checks before username or
> certificate validity ?
Try:
- http://wiki.freeradius.org/Sites%
Do you know where i can insert script to add new fonctions like described in
my previous email ?
When client sends its certificate , server checks before username or
certificate validity ?
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls questions
Precisely, i search check_cert_subject wich checks client's certificate field.
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: eap/tls questions with freeradius
Date: Tue, 20 Dec 2011 12:23:50 +
Hi ,
i've got a question :
i've set up a freeradius serv
Victor Guk wrote:
> I tried on a 64 bit computer. The same result.
Ask the OpenSSL people why their library can't handle dates after 2050.
FreeRADIUS can't handle dates after 2038, due to 32-bit limitations of
the timestamp in RADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
why?
>
> really, why? wat purpose does testing these dates have - you really think
> your current infrastructure, and techologies such as 802.1X are going
> to be around in the same format in even 20 years time?
No, of course not:)
This is my curiosity led me to test such date.
>
>
This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL
tells it.
Can you verify the cert with the "openssl verify ..." test command? e.g.
try this:
openssl verify -CAfile ca.pem -purpose sslserver server.pem
freeradius:/usr/local/CA # openssl verify -CAfile cacert.pem -purpo
Hi,
> why?
>
> really, why? wat purpose does testing these dates have - you really think
> your current infrastructure, and techologies such as 802.1X are going
> to be around in the same format in even 20 years time?
To be honest, I'm thinking of a similar thing. Given how painful a CA
rollover
hi,
why?
really, why? wat purpose does testing these dates have - you really think
your current infrastructure, and techologies such as 802.1X are going
to be around in the same format in even 20 years time?
anywayI'm guessing these are 32 bit server and client OS ?
you may find, in that c
On 12/05/2011 08:25 AM, Victor Guk wrote:
[tls] <<< TLS 1.0 Handshake [length 0249], Certificate
--> verify error:num=9:certificate is not yet valid
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert write:fatal:bad certificate
This error comes from within OpenSSL. FreeRADI
dius users mailing list
> Subject: Re: EAP-TLS Attributes
>
> Houston-III, Lester L wrote:
>> Basically, I want to provide some data that's obtained from an external
>> source to my VPN client that is made available to JRADIUS via FreeRADIUS. I
>> need this data t
@lists.freeradius.org
[mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Thursday, November 17, 2011 5:15 AM
To: FreeRadius users mailing list
Subject: Re: EAP-TLS Attributes
Houston-III, Lester L wrote:
> Basically, I want
Houston-III, Lester L wrote:
> Basically, I want to provide some data that's obtained from an external
> source to my VPN client that is made available to JRADIUS via FreeRADIUS. I
> need this data to be available for the authorization phase because it will be
> used by JRADIUS for determining
On 11/16/2011 11:36 PM, Houston-III, Lester L wrote:
Basically, I want to provide some data that's obtained from an
external source to my VPN client that is made available to JRADIUS
via FreeRADIUS. I need this data to be available for the
authorization phase because it will be used by JRADIUS f
Basically, I want to provide some data that's obtained from an external source
to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this
data to be available for the authorization phase because it will be used by
JRADIUS for determining whether a user is authorized for acce
On 11/16/2011 09:53 PM, Houston-III, Lester L wrote:
What I want to do now is have the StrongSwan VPN client inject some
custom data into the EAP message so that data can be propagated through
to JRADIUS for use in the post authorization method. Maybe something
like creating my own attribute or
Hi all,
problem has been on my side. I miss to add another one CRL into certs directory.
Thank you for all your help!
Best regards,
—
Martin Čmelík
2011/11/14 Martin Čmelík :
> Hi Alan,
>
> I did, there is nothing about it.
>
> Only this:
>
> # Check the Certificate Revocation List
> #
> #
Hi Alan,
I did, there is nothing about it.
Only this:
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash '.
#'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
Hi,
> Question is: When Freeradius receive user certificate how daemon find
> correct CRL list in certs directory?
The CRL needs to be in the same directory as the CAs, and needs to be
hashed with c_rehash just like the CA certs. CRLs automatically get the
hash suffix ".r0" instead of ".0".
You
Martin Čmelík wrote:
> Question is: When Freeradius receive user certificate how daemon find
> correct CRL list in certs directory?
Read raddb/eap.conf. This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
maybe that I explain it wrong.
We have now 4 CAs and 4 CRL lists where checking against them working
fine. I must add two new CAs (into ca.pam as others), but Freeradius
cant compare User certificate against correct crl list (crl5.pam,
crl6.pam).
Question is: When Freeradius receive user cer
Martin Čmelík wrote:
> nobody knows how setup freeradius to check new CRL lists?
FreeRADIUS uses OpenSSL for CRLs (and everything SSL). OpenSSL does
not support dynamically adding CRLs at run time.
See the "ocsp" support in 2.1.12.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http:/
Hi,
nobody knows how setup freeradius to check new CRL lists? Should I
provide more information (it is not easy to take output from radiusd
-X, but if it is essential I can try it)?
Thank you for any suggestion
—
Martin Čmelík
2011/11/10 Martin Čmelík :
> Hi,
>
> I downloaded current stable
1 - 100 of 645 matches
Mail list logo