Mike I think I've configured your suggestion, below is what freeradius
displays (With my Domain Name Changed) when I try and bring my laptop online
My Root CA Certificate is in the Trusted Root Certification Authorities
Store
I created a new Certificate with my computer name in the CN field
I'm trying this from a WinXP SP1 Computer
I've added:
DEFAULT Prefix = "host/", Strip-User-Name = YES
Hint = "EAP",
Service-Type = Framed-User,
Framed-Protocol = EAP
to my hints file
and "%{Stripped-User-Name:-%{User-Name}}". (w/o quotes) to my eap.conf file
Hopefully someone smarter than I can decipher this debug file.
rad_recv: Access-Request packet from host 172.30.1.249:21648, id=194,
length=192
User-Name = "host/Scribner-Laptop.MyDomain.Org"
Framed-MTU = 1400
Called-Station-Id = "0040.9641.1a7a"
Calling-Station-Id = "0040.9641.3aa7"
Service-Type = Login-User
Message-Authenticator = 0x5055ee82d6d4f2e270819b29e86b8141
EAP-Message =
0x0202002901686f73742f53637269626e65722d4c6170746f702e4341
4d432d4f6e6c696e652e4f5247
NAS-Port-Type = Wireless-802.11
NAS-Port = 511
NAS-IP-Address = 172.30.1.249
NAS-Identifier = "CAMC-AP-1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Invalid operator for item Prefix: reverting to '=='
hints: Matched DEFAULT at 48
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 41
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 194 to 172.30.1.249:21648
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 172.30.1.249:21648, id=195,
length=192
User-Name = "host/Scribner-Laptop.MyDomain.Org"
Framed-MTU = 1400
Called-Station-Id = "0040.9641.1a7a"
Calling-Station-Id = "0040.9641.3aa7"
Service-Type = Login-User
Message-Authenticator = 0xc3a48c4699bfa3b310021c644f0960b2
EAP-Message =
0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
4d432d4f6e6c696e652e4f5247
NAS-Port-Type = Wireless-802.11
NAS-Port = 512
NAS-IP-Address = 172.30.1.249
NAS-Identifier = "CAMC-AP-1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
Invalid operator for item Prefix: reverting to '=='
hints: Matched DEFAULT at 48
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 41
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 194 with timestamp 40db5adf
Sending Access-Reject of id 195 to 172.30.1.249:21648
Waking up in 2 seconds...
rad_recv: Access-Request packet from host 172.30.1.249:21648, id=196,
length=192
User-Name = "host/Scribner-Laptop.MyDomain.Org"
Framed-MTU = 1400
Called-Station-Id = "0040.9641.1a7a"
Calling-Station-Id = "0040.9641.3aa7"
Service-Type = Login-User
Message-Authenticator = 0x0f84e63c63bc15cee5e9208ac74c507c
EAP-Message =
0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
4d432d4f6e6c696e652e4f5247
NAS-Port-Type = Wireless-802.11
NAS-Port = 513
NAS-IP-Address = 172.30.1.249
NAS-Identifier = "CAMC-AP-1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
Invalid operator for item Prefix: reverting to '=='
hints: Matched DEFAULT at 48
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 1 length 41
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 2
modcall: group authenticate returns invalid for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 195 with timestamp 40db5ae1
Sending Access-Reject of id 196 to 172.30.1.249:21648
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 172.30.1.249:21648, id=197,
length=192
User-Name = "host/Scribner-Laptop.MyDomain.Org"
Framed-MTU = 1400
Called-Station-Id = "0040.9641.1a7a"
Calling-Station-Id = "0040.9641.3aa7"
Service-Type = Login-User
Message-Authenticator = 0x6cb568cd67f1634858dcef38461dc830
EAP-Message =
0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
4d432d4f6e6c696e652e4f5247
NAS-Port-Type = Wireless-802.11
NAS-Port = 514
NAS-IP-Address = 172.30.1.249
NAS-Identifier = "CAMC-AP-1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
Invalid operator for item Prefix: reverting to '=='
hints: Matched DEFAULT at 48
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 1 length 41
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 3
modcall: group authenticate returns invalid for request 3
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 196 with timestamp 40db5ae5
Sending Access-Reject of id 197 to 172.30.1.249:21648
Waking up in 2 seconds...
rad_recv: Access-Request packet from host 172.30.1.249:21648, id=198,
length=192
User-Name = "host/Scribner-Laptop.MyDomain.Org"
Framed-MTU = 1400
Called-Station-Id = "0040.9641.1a7a"
Calling-Station-Id = "0040.9641.3aa7"
Service-Type = Login-User
Message-Authenticator = 0x5bc89559f40f0887943b442feae73f96
EAP-Message =
0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
4d432d4f6e6c696e652e4f5247
NAS-Port-Type = Wireless-802.11
NAS-Port = 515
NAS-IP-Address = 172.30.1.249
NAS-Identifier = "CAMC-AP-1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
Invalid operator for item Prefix: reverting to '=='
hints: Matched DEFAULT at 48
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 1 length 41
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 197 with timestamp 40db5ae7
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 198 to 172.30.1.249:21648
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 172.30.1.249:21648, id=199,
length=192
User-Name = "host/Scribner-Laptop.MyDomain.Org"
Framed-MTU = 1400
Called-Station-Id = "0040.9641.1a7a"
Calling-Station-Id = "0040.9641.3aa7"
Service-Type = Login-User
Message-Authenticator = 0xaabc8c7f21eae2c72f6a157db6d48f90
EAP-Message =
0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
4d432d4f6e6c696e652e4f5247
NAS-Port-Type = Wireless-802.11
NAS-Port = 516
NAS-IP-Address = 172.30.1.249
NAS-Identifier = "CAMC-AP-1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
Invalid operator for item Prefix: reverting to '=='
hints: Matched DEFAULT at 48
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 1 length 41
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 198 with timestamp 40db5aec
Sending Access-Reject of id 199 to 172.30.1.249:21648
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 5 ID 199 with timestamp 40db5aee
----- Original Message -----
From: "Michael Griego" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 24, 2004 4:24 PM
Subject: Re: EAP/TLS Computer Certificates
> Couple of things:
>
> 1. Make sure the CA certificate also exists in the Local Computer
> Trusted Roots Store.
>
> 2. For Windows 2000, make sure that the machine name is in the CN or
> subjAltName fields of the certificate. It can be just localpart of
> fqdn, so if your fqdn of your machine is somemachine.domain.com, then
> the CN can be just somemachine or it can be somemachine.domain.com.
>
> 3. Make sure that when you copied the certificate from the Personal
> Store to the Local Computer store that the Private Key was copied as
> well.
>
> 4. Note that when Windows connected with computer authentication, it
> will prepend "host/" onto the CN field of the certificate. So, if you
> use the check_cert_cn option in the EAP-TLS setup, you'll need to
> probably run it through the hints file with a prefix of "host/" to
> create the Stripped-User-Name attribute, and change the check_cert_cn
> option to be "%{Stripped-User-Name:-%{User-Name}}".
>
> --Mike
>
> On Thu, 2004-06-24 at 16:01, Jeremy Scribner wrote:
> > Yesterday installed freeradius-snapshot-20040623 &
> > openssl-SNAP-20040623 in hopes of using it for Wireless
> > Authentication. I followed the instructions from the different
> > FreeRadius TLS How-to, and can successfully make authentication work
> > using the client user certificate.
> >
> > My problem now is I would like to create a certificate that
> > authenticates just the computer and not worry about user
> > certificates. I know many of the security experts out there are
> > shuttering by my even thinking about using a single certificate for
> > authentication, but my environment doesn't work well for distributing
> > individual certificates to all of my users. Our laptops are used for
> > training purposes and students don't use the same laptop every time.
> > Is there something special I need to do to create a machine
> > certificate vs a user certificate?
> >
> > If I move the user certificate to the (Local Computer) I cannot
> > connect.
> >
> >
> >
> > My Environment consists of:
> >
> > Linux Red Hat 9 Server running FreeRadius and OpenSSL
> >
> > Cisco 350 Series AP
> >
> > Windows XP SP 1 & Windows 2000 SP 4 Laptops
> >
> >
> >
> > Thank-you in advance for any help
> >
> >
> >
> > Jeremy Scribner
> --
>
> --Mike
>
> ----------------------------------
> Michael Griego
> Wireless LAN Project Manager
> The University of Texas at Dallas
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
> This message has been scanned for viruses. This does not guarantee this
message is free from viruses.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
