Anders Holm escribió:
[snip]
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this. //Normal, i am not
willing to do PAP but mschapv2
me If you’re not using a module, disable it. All it’ll do is add
latency, delays and
Sergio wrote:
I'm agree, a good begining would be comment out all modules you're not
using. The instances of the modules are in sites-enabled/default and
sites-enabled/inner-tunnel (for peap and ttls).
For debugging... no. The default configuration file WORKS in the
widest possible set of
I'm agree, a good begining would be comment out all modules you're not
using. The instances of the modules are in sites-enabled/default and
sites-enabled/inner-tunnel (for peap and ttls).
-
--- Donb't worry, it will be done soon (as soon as the week starts again ). i
really want to figure it
the
certificatuion chain!!!
thanx a lot
- Message d'origine
De : Alan DeKok [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Dimanche, 27 Juillet 2008, 8h51mn 35s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem
Reveal MAP wrote:
Yes, Alan, we already now that thedefault config do works! my mind:
freeradius (in our case, sergio and me) is correctly configured. But, we
encounterd a problem showing no error message. so to make the log
slimmer, why not deactivate some non mandatory module in our
problem out .
- Message d'origine
De : Alan DeKok [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Dimanche, 27 Juillet 2008, 19h42mn 23s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem
with eap-tls)
Reveal MAP
Reveal MAP wrote:
now we know what not to do at all. we are still wondering what we have
to do.
Use a client that isn't broken. Sorry. Try SecureW2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reveal MAP escribió:
installing ca.der and putting user pass into client machine, the
authentication doesn't work?
-- no, it doesn't!
you only need ca.der but, if you have an active directory like LDAP,
check if your comunication with AD server also have tls authentication.
Into ldap
see the logf there: http://tinypaste.com/5b99b
Your problem is nothing to do with certificates. The PEAP tunnel gets
setup correctly, the MS-CHAP client-server auth succeeds, but the final
server-client (mutual) auth appears to fail.
This could be for a number of reasons, but it's a
thanx for responding dude. let's take a look at this part of log!
(remember too that i am a new linux, many thing are still chinese for
me)
i agree, my certificate are OK to do EAP in general
my coments are the red lines :
my mschap module config is:
--
mschap {
use_mppe =
PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Vendredi, 25 Juillet 2008, 20h51mn 58s
Objet : Re : Re : cert bootstrap bug? (was Re: definitively, I have a problem
with eap-tls)
Are you using vista supplicant? By reading the last lines of your radius
[snip]
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.//Normal, i am not willing to do
PAP but mschapv2
me If you¹re not using a module, disable it. All it¹ll do is add latency,
delays and unnecessary log
hmm... it's true i didn't test authentication with another laptop! i will! and
i will too with secureW2 instead ofXP built-in wireless manager, and see!!
see the logf there: http://tinypaste.com/5b99b
Your problem is nothing to do with certificates. The PEAP tunnel gets
setup correctly, the
e: Re : cert bootstrap bug? (was Re: definitively, I have a problem with
eap-tls)
http://tinypaste.com/5b99b = Radiusd -X output.
[snip]
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.//Normal, i am not willing to do
On Thu, Jul 24, 2008 at 09:14:54PM +0200, Alan DeKok wrote:
Phil Mayers wrote:
Alan - it does look to my untrained eye as if the client.crt Makefile
target in /etc/raddb/certs is signing the client key with the server
key. Is this intentional, or a bug?
It's intentional. It's a perfectly
freeradius-users@lists.freeradius.org
Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
Objet : Re: cert bootstrap bug? (was Re: definitively, I have a problem with
eap-tls)
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the issuer of
client cert using default certs
: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Sergio wrote:
But the debug I posted shows that radius doesn't recognize the issuer of
client cert
d'origine
De : Sergio [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a problem
with eap-tls)
Reveal MAP escribió:
HOW TO FIX THE PROBLEM
open!
- Message d'origine
De : Sergio [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a
problem with eap-tls)
Reveal MAP
installing ca.der and putting user pass into client machine, the
authentication doesn't work?
-- no, it doesn't!
you only need ca.der but, if you have an active directory like LDAP,
check if your comunication with AD server also have tls authentication.
Into ldap module you can
Are you using vista supplicant? By reading the last lines of your radius
debug file it seems so...
See earlier posts with subject: PEAP or TTLS and Microsoft Vista.
Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu:
installing ca.der and putting user pass into client machine, the
nf-vale escribió:
Are you using vista supplicant? By reading the last lines of your radius
debug file it seems so...
See earlier posts with subject: PEAP or TTLS and Microsoft Vista.
Sex, 2008-07-25 às 17:10 +, Reveal MAP escreveu:
installing ca.der and putting user pass into
Sorry, I'll do the things right jeje
Log using default configuration except:
-default_eap_type = tls into eap.conf
-client 192.168.0.0/24 {
secret = testing123
shortname = kely
}
into clients.conf, and ap configuration ok (still not in the garbage)
Phil Mayers escribió:
Sergio wrote:
Sorry, I'll do the things right jeje
I haven't been reading all your emails, but what I have read is very
confusing. So I'm sorry if I misunderstand.
The error message seems very very clear.
FreeRadius cannot verify the client certificate.
This means
ok :) I provide certificate files and eap.conf in a tar ball to not to
post a mail too long.
If I print [EMAIL PROTECTED] in text form I see how radius is the
issuer of the certificate. This is the default PKI and I don't know what
I'm doing wrong.
Thanks for your attention.
I get the
Phil Mayers escribió:
ok :) I provide certificate files and eap.conf in a tar ball to not
to post a mail too long.
If I print [EMAIL PROTECTED] in text form I see how radius is the
issuer of the certificate. This is the default PKI and I don't know
what I'm doing wrong.
Thanks for your
Yeah!! Then you're agree with me. I've been explaining (trying) in this
forum that client cert must be signed by ca cert. bootstrap command sign
client cert with server.key and this not works. The solution is to
replace de signing in certs/Makefile (-key server.key -cert server.pem
should be
Phil Mayers wrote:
Alan - it does look to my untrained eye as if the client.crt Makefile
target in /etc/raddb/certs is signing the client key with the server
key. Is this intentional, or a bug?
It's intentional. It's a perfectly valid use of certificate chains.
The idea is that you have
Alan DeKok escribió:
Phil Mayers wrote:
Alan - it does look to my untrained eye as if the client.crt Makefile
target in /etc/raddb/certs is signing the client key with the server
key. Is this intentional, or a bug?
It's intentional. It's a perfectly valid use of certificate chains.
Alan DeKok escribió:
Phil Mayers wrote:
Alan - it does look to my untrained eye as if the client.crt Makefile
target in /etc/raddb/certs is signing the client key with the server
key. Is this intentional, or a bug?
It's intentional. It's a perfectly valid use of certificate chains.
Sergio escribió:
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: TLS 1.0 Handshake [length
Sergio escribió:
Sergio escribió:
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: TLS 1.0
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: TLS 1.0 Handshake [length 0bdb], Certificate
33 matches
Mail list logo