I think I was trying to determine what was supposed to be happening next. I have
not been able to find an entire debug output of a successful peap authentication.
It
sounds to me like I am waiting for a request from the client? not the AP right?
Also I don't think I have the correct dh_file. I think it is supposed to have my
Diffie-Hellman parameters stored there in pem format. But beyond that...... I was
wondering if that
might be my holdup or if I am on crak.
Cisco, I have to admit that they may often be up to there own standards. We try to
follow standards ourselves. Unfortunately, when you have Microsoft and cisco
getting together to
draft a standard...... But I think peap is the best answer for my users. It is
fine for me to use tls.
Could anyone provide us with some successful peap debug output to look at and help
me with my dh_file question?
Best wishes,
-=Bill
William E Reid wrote:
> Thanks.
>
> -=Bill
>
> Michael Melanson wrote:
>
> > stop using cisco's crap. try using mfgrs that use rfc standards, not
> > thier own modified flavor
> >
> > >>> [EMAIL PROTECTED] 11/11/2003 5:57:56 PM >>>
> > I am having trouble.
> >
> > I think I have peap mostly working. However I make it to here and no
> > further:
> >
> > ...............
> > Tue Nov 11 17:30:15 2003 : Debug: auth: type "EAP"
> > Tue Nov 11 17:30:15 2003 : Debug: modcall: entering group authenticate
> > for request 0
> > Tue Nov 11 17:30:15 2003 : Debug: modsingle[authenticate]: calling
> > eap
> > (rlm_eap) for request 0
> > Tue Nov 11 17:30:15 2003 : Debug: rlm_eap: EAP Identity
> > Tue Nov 11 17:30:15 2003 : Debug: rlm_eap: processing type tls
> > Tue Nov 11 17:30:15 2003 : Debug: rlm_eap_tls: Initiate
> > Tue Nov 11 17:30:15 2003 : Debug: rlm_eap_tls: Start returned 1
> > Tue Nov 11 17:30:15 2003 : Debug: modsingle[authenticate]: returned
> > from eap (rlm_eap) for request 0
> > Tue Nov 11 17:30:15 2003 : Debug: modcall[authenticate]: module
> > "eap"
> > returns ok for request 0
> > Tue Nov 11 17:30:15 2003 : Debug: modcall: group authenticate returns
> > ok
> > for request 0
> > Tue Nov 11 17:30:15 2003 : Auth: Login OK: [wer] (from client bill
> > port
> > 37 cli 000dbd05196d)
> > Sending Access-Challenge of id 50 to xxx.xxx.xxx.xxx:1074
> > EAP-Message = 0x010300061920
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x7ccfeaae99381eb63b6fa53680227296
> > EAP-Message = 0x010300061920
> > State = 0x6c5e42fb077a8f93a4122d3835f9a2f7
> > Tue Nov 11 17:30:15 2003 : Debug: Finished request 0
> > Tue Nov 11 17:30:15 2003 : Debug: Going to the next request
> > Tue Nov 11 17:30:15 2003 : Debug: --- Walking the entire request list
> > ---
> > Tue Nov 11 17:30:15 2003 : Debug: Waking up in 6 seconds...
> > Tue Nov 11 17:30:21 2003 : Debug: --- Walking the entire request list
> > ---
> > Tue Nov 11 17:30:21 2003 : Debug: Cleaning up request 0 ID 50 with
> > timestamp 3fb162f7
> > Tue Nov 11 17:30:21 2003 : Debug: Nothing to do. Sleeping until we
> > see
> > a request.
> >
> > >From this point on things just hang out. windows ends up thinking it
> > is
> > enabled, all the while it never got its attributes. The AP reports
> > that
> > there is an "eap pending".
> >
> > My user looks like this.
> >
> > wer User-Password == "testtest"
> > Framed-IP-Address = xxx.xxx.xxx.234
> > Framed-IP-Netmask = 255.255.255.255
> >
> > I compiled with openssl 0.9.7c
> >
> > I think my certs are fine (the root was installed on the client)
> > though
> > I don't know if I need to compile with openssl 0.9.7beta3 or not to
> > use
> > peap. Also I was not sure what the "DH" file is, does Diffie-Hellman
> > want to store dynamic keys there? Should it just be an empty file
> > ("dh_file =" under tls {})?
> >
> > Any obvious words of wisdom or did I not provide enough information?
> >
> > Thank you,
> >
> > -=Bill
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > -----------------------------------------------------
> > This message is intended only for certain recipients and may be
> > privileged or confidential. If you have received it in error, please
> > notify sender and delete it without making or retaining a copy.
> > -----------------------------------------------------
> > <<<<*P*H*L*>>>>
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
