Remove the "Strip-User-Name = YES" from the hints line. The hints
file will automatically add the Stripped-User-Name attribute. Its
important that you not alter the original User-Name attribute, which
is what the Strip-User-Name option will do.
--Mike
-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
On Thu, 24 Jun 2004, Jeremy Scribner wrote:
> Mike I think I've configured your suggestion, below is what freeradius
> displays (With my Domain Name Changed) when I try and bring my laptop online
> My Root CA Certificate is in the Trusted Root Certification Authorities
> Store
> I created a new Certificate with my computer name in the CN field
>
> I'm trying this from a WinXP SP1 Computer
>
> I've added:
>
> DEFAULT Prefix = "host/", Strip-User-Name = YES
> Hint = "EAP",
> Service-Type = Framed-User,
> Framed-Protocol = EAP
>
> to my hints file
>
> and "%{Stripped-User-Name:-%{User-Name}}". (w/o quotes) to my eap.conf file
>
> Hopefully someone smarter than I can decipher this debug file.
>
>
> rad_recv: Access-Request packet from host 172.30.1.249:21648, id=194,
> length=192
> User-Name = "host/Scribner-Laptop.MyDomain.Org"
> Framed-MTU = 1400
> Called-Station-Id = "0040.9641.1a7a"
> Calling-Station-Id = "0040.9641.3aa7"
> Service-Type = Login-User
> Message-Authenticator = 0x5055ee82d6d4f2e270819b29e86b8141
> EAP-Message =
> 0x0202002901686f73742f53637269626e65722d4c6170746f702e4341
> 4d432d4f6e6c696e652e4f5247
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 511
> NAS-IP-Address = 172.30.1.249
> NAS-Identifier = "CAMC-AP-1"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> Invalid operator for item Prefix: reverting to '=='
> hints: Matched DEFAULT at 48
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type response id 2 length 41
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns updated for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 0
> modcall: group authenticate returns invalid for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 194 to 172.30.1.249:21648
> Waking up in 4 seconds...
> rad_recv: Access-Request packet from host 172.30.1.249:21648, id=195,
> length=192
> User-Name = "host/Scribner-Laptop.MyDomain.Org"
> Framed-MTU = 1400
> Called-Station-Id = "0040.9641.1a7a"
> Calling-Station-Id = "0040.9641.3aa7"
> Service-Type = Login-User
> Message-Authenticator = 0xc3a48c4699bfa3b310021c644f0960b2
> EAP-Message =
> 0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
> 4d432d4f6e6c696e652e4f5247
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 512
> NAS-IP-Address = 172.30.1.249
> NAS-Identifier = "CAMC-AP-1"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> Invalid operator for item Prefix: reverting to '=='
> hints: Matched DEFAULT at 48
> modcall[authorize]: module "preprocess" returns ok for request 1
> modcall[authorize]: module "chap" returns noop for request 1
> modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 1
> rlm_eap: EAP packet type response id 1 length 41
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 1
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 1
> modcall: group authorize returns updated for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 1
> modcall: group authenticate returns invalid for request 1
> auth: Failed to validate the user.
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 194 with timestamp 40db5adf
> Sending Access-Reject of id 195 to 172.30.1.249:21648
> Waking up in 2 seconds...
> rad_recv: Access-Request packet from host 172.30.1.249:21648, id=196,
> length=192
> User-Name = "host/Scribner-Laptop.MyDomain.Org"
> Framed-MTU = 1400
> Called-Station-Id = "0040.9641.1a7a"
> Calling-Station-Id = "0040.9641.3aa7"
> Service-Type = Login-User
> Message-Authenticator = 0x0f84e63c63bc15cee5e9208ac74c507c
> EAP-Message =
> 0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
> 4d432d4f6e6c696e652e4f5247
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 513
> NAS-IP-Address = 172.30.1.249
> NAS-Identifier = "CAMC-AP-1"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
> Invalid operator for item Prefix: reverting to '=='
> hints: Matched DEFAULT at 48
> modcall[authorize]: module "preprocess" returns ok for request 2
> modcall[authorize]: module "chap" returns noop for request 2
> modcall[authorize]: module "mschap" returns noop for request 2
> rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 2
> rlm_eap: EAP packet type response id 1 length 41
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 2
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 2
> modcall: group authorize returns updated for request 2
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 2
> modcall: group authenticate returns invalid for request 2
> auth: Failed to validate the user.
> Delaying request 2 for 1 seconds
> Finished request 2
> Going to the next request
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 195 with timestamp 40db5ae1
> Sending Access-Reject of id 196 to 172.30.1.249:21648
> Waking up in 4 seconds...
> rad_recv: Access-Request packet from host 172.30.1.249:21648, id=197,
> length=192
> User-Name = "host/Scribner-Laptop.MyDomain.Org"
> Framed-MTU = 1400
> Called-Station-Id = "0040.9641.1a7a"
> Calling-Station-Id = "0040.9641.3aa7"
> Service-Type = Login-User
> Message-Authenticator = 0x6cb568cd67f1634858dcef38461dc830
> EAP-Message =
> 0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
> 4d432d4f6e6c696e652e4f5247
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 514
> NAS-IP-Address = 172.30.1.249
> NAS-Identifier = "CAMC-AP-1"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
> Invalid operator for item Prefix: reverting to '=='
> hints: Matched DEFAULT at 48
> modcall[authorize]: module "preprocess" returns ok for request 3
> modcall[authorize]: module "chap" returns noop for request 3
> modcall[authorize]: module "mschap" returns noop for request 3
> rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 3
> rlm_eap: EAP packet type response id 1 length 41
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 3
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 3
> modcall: group authorize returns updated for request 3
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 3
> modcall: group authenticate returns invalid for request 3
> auth: Failed to validate the user.
> Delaying request 3 for 1 seconds
> Finished request 3
> Going to the next request
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 2 ID 196 with timestamp 40db5ae5
> Sending Access-Reject of id 197 to 172.30.1.249:21648
> Waking up in 2 seconds...
> rad_recv: Access-Request packet from host 172.30.1.249:21648, id=198,
> length=192
> User-Name = "host/Scribner-Laptop.MyDomain.Org"
> Framed-MTU = 1400
> Called-Station-Id = "0040.9641.1a7a"
> Calling-Station-Id = "0040.9641.3aa7"
> Service-Type = Login-User
> Message-Authenticator = 0x5bc89559f40f0887943b442feae73f96
> EAP-Message =
> 0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
> 4d432d4f6e6c696e652e4f5247
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 515
> NAS-IP-Address = 172.30.1.249
> NAS-Identifier = "CAMC-AP-1"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 4
> Invalid operator for item Prefix: reverting to '=='
> hints: Matched DEFAULT at 48
> modcall[authorize]: module "preprocess" returns ok for request 4
> modcall[authorize]: module "chap" returns noop for request 4
> modcall[authorize]: module "mschap" returns noop for request 4
> rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 4
> rlm_eap: EAP packet type response id 1 length 41
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 4
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 4
> modcall: group authorize returns updated for request 4
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 4
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 4
> modcall: group authenticate returns invalid for request 4
> auth: Failed to validate the user.
> Delaying request 4 for 1 seconds
> Finished request 4
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 3 ID 197 with timestamp 40db5ae7
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 198 to 172.30.1.249:21648
> Waking up in 4 seconds...
> rad_recv: Access-Request packet from host 172.30.1.249:21648, id=199,
> length=192
> User-Name = "host/Scribner-Laptop.MyDomain.Org"
> Framed-MTU = 1400
> Called-Station-Id = "0040.9641.1a7a"
> Calling-Station-Id = "0040.9641.3aa7"
> Service-Type = Login-User
> Message-Authenticator = 0xaabc8c7f21eae2c72f6a157db6d48f90
> EAP-Message =
> 0x0201002901686f73742f53637269626e65722d4c6170746f702e4341
> 4d432d4f6e6c696e652e4f5247
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 516
> NAS-IP-Address = 172.30.1.249
> NAS-Identifier = "CAMC-AP-1"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 5
> Invalid operator for item Prefix: reverting to '=='
> hints: Matched DEFAULT at 48
> modcall[authorize]: module "preprocess" returns ok for request 5
> modcall[authorize]: module "chap" returns noop for request 5
> modcall[authorize]: module "mschap" returns noop for request 5
> rlm_realm: No '@' in User-Name = "Scribner-Laptop.MyDomain.Org", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 5
> rlm_eap: EAP packet type response id 1 length 41
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 5
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 5
> modcall: group authorize returns updated for request 5
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 5
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 5
> modcall: group authenticate returns invalid for request 5
> auth: Failed to validate the user.
> Delaying request 5 for 1 seconds
> Finished request 5
> Going to the next request
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 4 ID 198 with timestamp 40db5aec
> Sending Access-Reject of id 199 to 172.30.1.249:21648
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Cleaning up request 5 ID 199 with timestamp 40db5aee
>
>
>
>
>
> ----- Original Message -----
> From: "Michael Griego" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, June 24, 2004 4:24 PM
> Subject: Re: EAP/TLS Computer Certificates
>
>
> > Couple of things:
> >
> > 1. Make sure the CA certificate also exists in the Local Computer
> > Trusted Roots Store.
> >
> > 2. For Windows 2000, make sure that the machine name is in the CN or
> > subjAltName fields of the certificate. It can be just localpart of
> > fqdn, so if your fqdn of your machine is somemachine.domain.com, then
> > the CN can be just somemachine or it can be somemachine.domain.com.
> >
> > 3. Make sure that when you copied the certificate from the Personal
> > Store to the Local Computer store that the Private Key was copied as
> > well.
> >
> > 4. Note that when Windows connected with computer authentication, it
> > will prepend "host/" onto the CN field of the certificate. So, if you
> > use the check_cert_cn option in the EAP-TLS setup, you'll need to
> > probably run it through the hints file with a prefix of "host/" to
> > create the Stripped-User-Name attribute, and change the check_cert_cn
> > option to be "%{Stripped-User-Name:-%{User-Name}}".
> >
> > --Mike
> >
> > On Thu, 2004-06-24 at 16:01, Jeremy Scribner wrote:
> > > Yesterday installed freeradius-snapshot-20040623 &
> > > openssl-SNAP-20040623 in hopes of using it for Wireless
> > > Authentication. I followed the instructions from the different
> > > FreeRadius TLS How-to, and can successfully make authentication work
> > > using the client user certificate.
> > >
> > > My problem now is I would like to create a certificate that
> > > authenticates just the computer and not worry about user
> > > certificates. I know many of the security experts out there are
> > > shuttering by my even thinking about using a single certificate for
> > > authentication, but my environment doesn't work well for distributing
> > > individual certificates to all of my users. Our laptops are used for
> > > training purposes and students don't use the same laptop every time.
> > > Is there something special I need to do to create a machine
> > > certificate vs a user certificate?
> > >
> > > If I move the user certificate to the (Local Computer) I cannot
> > > connect.
> > >
> > >
> > >
> > > My Environment consists of:
> > >
> > > Linux Red Hat 9 Server running FreeRadius and OpenSSL
> > >
> > > Cisco 350 Series AP
> > >
> > > Windows XP SP 1 & Windows 2000 SP 4 Laptops
> > >
> > >
> > >
> > > Thank-you in advance for any help
> > >
> > >
> > >
> > > Jeremy Scribner
> > --
> >
> > --Mike
> >
> > ----------------------------------
> > Michael Griego
> > Wireless LAN Project Manager
> > The University of Texas at Dallas
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
> > This message has been scanned for viruses. This does not guarantee this
> message is free from viruses.
> >
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
