Problem was solved thanks to Ivan assistance,
Main problem was on switch side and its configuration,
Second problem was - proper certificate to proper certificate store
And third - in my head :).
Thank you again
Bartosz.
-
List info/subscribe/unsubscribe? See
Problem was solved thanks to Ivan assistance,
Main problem was on switch side and its configuration,
Second problem was - proper certificate to proper certificate store
And third - in my head :).
OK. Now that you have established that client certificates signed by CA
work with XP SP3, can you
On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik t...@kalik.net wrote:
Problem was solved thanks to Ivan assistance,
Main problem was on switch side and its configuration,
Second problem was - proper certificate to proper certificate store
And third - in my head :).
OK. Now that you have
Don't strip the username. Why do you proxy this anyway? Create it as a
local realm:
I am using basic configuration without changes in config cause:
so..somewhere along the line you are playing with the User-Name
attribute...something
which you cannot do with EAP - if you take a standard 2.1.6
Bartosz Chodzinski wrote:
make the basic changes to your eap.conf and client.conf it will work
it wont.
You can believe that, which means that everyone else is lying. They
just download the software, follow the guides, and it just works.
But... because it doesn't work for you, they must be
could you give me good freeradius guide for dummies - I think I need it :)
On Wed, May 20, 2009 at 9:30 AM, Alan DeKok al...@deployingradius.comwrote:
Bartosz Chodzinski wrote:
make the basic changes to your eap.conf and client.conf it will work
it wont.
You can believe that, which
Hi,
realm example.com {
}
realm LOCAL {
}
realm NULL {
}
/etc/freeradius/proxy.conf[498]: home_server localhost does not exist
thats very interesting - because in the default proxy.conf there IS an
entry for home_server localhost.
so, I'll repeat once again, do not just randomly
Bartosz Chodzinski wrote:
could you give me good freeradius guide for dummies - I think I need it :)
$ man radiusd
It contains a section describing how to make changes to the
configuration files.
For EAP, see http://deployingradius.com
The front page contains 4 steps to get EAP working.
Hey People!,
I am not saying that you are lying, I even didnt think like that, I never
intend to insult you,
for god sake, I am asking for help - that mean that you are the masters and
I am the student
yes, it annyoing me - I start to do something with radius cause I felt that
is good idea to know
Bartosz Chodzinski wrote:
I am not saying that you are lying, I even didnt think like that, I
never intend to insult you,
You're not insulting us. I am asking you to *think* about what you are
saying.
yes, it annyoing me - I start to do something with radius cause I felt
that is good idea
could you give me good freeradius guide for dummies - I think I need it :)
Guide: don't make any changes to the default configuration unless you know
what you are doing. That's it.
Server is configured by default to handle EAP-TLS. There is nothing that
you need to do to make it happen.
Now,
back to the begining
and using the most simple conf.
to be sure that I have clear configuration
#apt-get remove freeradius
#dpkg -P freeradius
#dpkg -i freeradius_2.1.6-0_i386.deb
server is Debian etchnhalf, it is virtual server on VMware ESX Server 3i,
3.5.0
now I have clear configuration and
Bartosz Chodzinski wrote:
back to the begining
and using the most simple conf.
...
now I have clear configuration and make simply changes
changes:
radiusd.conf
proxy_requests = no #was yes, set to no cause I dont need it
The guide didn't say to do that.
...
I still have a problem -
next I made client certificate (using standard scripts)
#cd /etc/freeradius/certs
#make client
and install certificates client.p12, ca.der on Win Xp Prof Sp3 OEM, Acer
Travel Mate 380
certificates installed in Trusted Root CA and Personal storages (I deleted
all previous certs on that
The steps you took show that you are NOT following the guide.
Good luck. You clearly are *not* interested in solving the problem.
the guide in radiusd.conf says:
#The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can
The steps you took show that you are NOT following the guide.
Good luck. You clearly are *not* interested in solving the problem.
the guide in radiusd.conf says:
#The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you
ok I changed it to default
proxy_requests = yes
$INCLUDE proxy.conf
/etc/freeradius/certs/Makefile
was
#client.crt: client.csr server.crt server.key index.txt serial
# openssl ca -batch -keyfile server.key -cert server.crt -in
client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions
I am using a standard settings of eap.conf
when I change eap.conf to:
# default_eap_type = md5
default_eap_type = peap
I have similar communicate
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=242,
length=147
Check connection settings on Windows machine.
Ivan Kalik
Kalik Informatika ISP
I am using a standard settings of eap.conf
when I change eap.conf to:
# default_eap_type = md5
default_eap_type = peap
That's not Windows machine - that's on your radius server.
so..somewhere along the line you are playing with the User-Name
attribute...something
which you cannot do with EAP - if you take a standard 2.1.6 install and
make the basic changes
to your eap.conf and clients.conf it will work.
which Linux distribution should I use? So far I tryied
Hi,
which Linux distribution should I use? So far I tryied debian-etchnhalf, or
CentOS, and in every How to its written that I have to compile it by mysefl.
This how to didnt work anyway... so I will try what you will suggest.
Bartosz.
theres nothing wrong with compiling it yourself - so
Ok, I downloaded 2.1.6
# unp freeradius-server-2.1.6.tar.gz
# cd /usr/src/freeradius-server-2.1.6
# dpkg-buildpackage -rfakeroot -uc -us
# dpkg -i freeradius_2.1.6-0_i386.deb
- instalator create ca and server certs in /etc/freeradius/certs directory
# cd /etc/freeradius/certs
# make client
next
# make client
next I made a copy of ca.der and client.p12 to xp directory,
next I opened mmc and install both of them to Trusted Root Certificate
Authorities and to Personal
exclamation mark on client certificate:
windows does not have enough information to verify this certificate
you
So in other words this script is for all clients exept microsofts-like ?
You should try altering make client command in Makefile so that client
certificates are signed by ca and not server certificate.
do you have such altered makefile?
On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik t...@kalik.net
I created once again certs by myself, giving common name for user cert the
same like in example
u...@example.com, I place them on xp client - both of them looks ok,
now something is happening (anyway like Aragorn said: still not king):
Ready to process requests.
rad_recv: Access-Request packet
I created once again certs by myself, giving common name for user cert the
same like in example
u...@example.com, I place them on xp client - both of them looks ok,
now something is happening (anyway like Aragorn said: still not king):
Ready to process requests.
rad_recv: Access-Request
Bartosz Chodzinski wrote:
/etc/freeradius/certs/README
I've never understood why people think it's useful to post
documentation from the server on this list. Do you think we haven't
seen it?
and something happend:
( I think key information is
TLS_accept:error in SSLv3 read client
ok (you guys propably hate me :) but please could you still give me the
answers as you did before)
but back to the subject:
I did like you said,
I installed 2.0.4 version (compiled using suggestions from:
http://www.fatofthelan.com/articles/articles.php?pid=27
I installed 2.0.4 version (compiled using suggestions from:
http://www.fatofthelan.com/articles/articles.php?pid=27
http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html)
If you downloaded current version, you wouldn't need to ask. You have to
Hi,
ok (you guys propably hate me :) but please could you still give me the
answers as you did before)
but back to the subject:
I did like you said,
I installed 2.0.4 version (compiled using suggestions from:
http://www.fatofthelan.com/articles/articles.php?pid=27
I tryied yesterday many times using diferent options but it doesnt work, any
idea what can be wrong?
Bartosz.
On Thu, May 14, 2009 at 3:45 PM, Bartosz Chodzinski bartos...@gmail.comwrote:
ok full information:
jpg with all setting on the not working client
I tryied yesterday many times using diferent options but it doesnt work,
any
idea what can be wrong?
Looking at this:
http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj
you have put ca (ca_auth), not client certificate in the personal store.
Ivan Kalik
Kalik Informatika ISP
-
List
Thank you for answer.
I put this to personal store, I think it is a client certificate, I gave a
commonName ca_auth
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
99:61:67:27:8b:7d:0a:b1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=PL,
Thank you for answer.
I put this to personal store, I think it is a client certificate, I gave a
commonName ca_auth
..
Issuer: C=PL, ST=dolnoslaskie, O=firma, OU=firma,
CN=ca_auth/emailaddress=em...@address.pl
...
Subject: C=PL, ST=dolnoslaskie, O=firma, OU=firma,
tls {
private_key_file = /etc/freeradius/eap/newkey.pem
certificate_file = /etc/freeradius/eap/newcert.pem
CA_file = /etc/freeradius/eap/eapCA/cacert.pem
dh_file = /etc/freeradius/eap/dh
random_file = /etc/freeradius/eap/random
fragment_size = 1024
tls {
private_key_file = /etc/freeradius/eap/newkey.pem
certificate_file = /etc/freeradius/eap/newcert.pem
CA_file = /etc/freeradius/eap/eapCA/cacert.pem
dh_file = /etc/freeradius/eap/dh
random_file = /etc/freeradius/eap/random
fragment_size = 1024
Thanks,
I created certificate
openssl req -new -keyout /etc/freeradius/eap/client_key.pem -out
/etc/freeradius/eap/client_req.pem -days 730 -passin pass:password -passout
pass:password
openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out
/etc/freeradius/eap/client_cert.pem
And I put cliet_cert.pem to both certificate stores Trusted CA and
Personal
You should import .p12 version onto the client.
Are you sure that I should not change anything in my server config files
Any particular reason you are creating certificates yourself? Why aren't
you using scripts
I have freeradius with eap support on debian etch, radius v1.1.3
2.0.4 should be available for Debian. Upgrade. Vista doesn't work with
1.1.3. And you will have problems with XP SP3.
everthing working fine but I'd like to have much more simple
configuration
only by certificate and nothing
2.0.4 should be available for Debian.
I know, 2.0.4 freeradius is available for debian lenny but not etch
unfortunately.
2. Use EAP-TLS to connect (Smart card or certificate in Windows speak).
Could you write me where in config put that? I tried described below but it
doesnt work
eap.conf:
2.0.4 should be available for Debian.
I know, 2.0.4 freeradius is available for debian lenny but not etch
unfortunately.
http://packages.debian.org/search?keywords=freeradius
2. Use EAP-TLS to connect (Smart card or certificate in Windows speak).
Could you write me where in config put that?
What doesn't work? Post the debug.
server:
I dont change in my config file, is the same like in first message,
client (win xp):
I have local connection-authentication-method-eap(peap)-properties:
validate server cert (marked checkbox),
marked cacert.pem,
secured password eap-mschapv2 -
I am sorry, I gave you wrong debug,
whatever is marked or unmarked on checkbox
local connection-authentication-keep in memory information about users for
aditional network connection
server does not have any new lines in debug, like nothing happend at all.
On Thu, May 14, 2009 at 2:24 PM,
What doesn't work? Post the debug.
server:
I dont change in my config file, is the same like in first message,
client (win xp):
I have local connection-authentication-method-eap(peap)-properties:
validate server cert (marked checkbox),
marked cacert.pem,
secured password
I am sorry, I gave you wrong debug,
whatever is marked or unmarked on checkbox
local connection-authentication-keep in memory information about users
for
aditional network connection
server does not have any new lines in debug, like nothing happend at all.
It can't find client
ok full information:
jpg with all setting on the not working client
http://w573.wrzuta.pl/obraz/powieksz/ag0ldvKR8Zj
I think it is properly, cause it work during eap (peap), am I wrong?
Bartosz.
On Thu, May 14, 2009 at 3:16 PM, Ivan Kalik t...@kalik.net wrote:
I am sorry, I gave you wrong
I know that date may be weird, but it doesnt matter
debian-etch:~# date
Sat May 14 15:46:10 CEST 2005
windows date may 2005, as well
and switch as well,
I forgot to check date when I created certificates, but afrer changing date
in server and clietn it is not a problem
Bartosz.
On Thu, May 14,
47 matches
Mail list logo