On Tue, Mar 29, 2005, Mametz Laurent wrote: > Hello, > > I want to make an authentification with PEAP TLS. > I think that my tls tunnel works fine, but i can't authenticate any user > from my windows XP SP2. I have an AP netgear WG302, and my freeradius > run on Mandrake 10.1. > I read the FAQ and the news but, i am always in black ... > My conf.
> users > --------------- > toto User-Password == "toto" That is useless if you just want to authenticate by validating the client SSL certificate. > eap.conf > ------------ > eap { > peap { > default_eap_type = mschapv2 > } > } > > mschapv2 { > } Your freeradius is configured to do PEAP MSCHAPv2 by default, and not PEAP TLS. I suppose it's just a default behavior and it won't interfere if the supplicant explicitely requests PEAP TLS, but maybe you should disable the MSCHAP stuff and set default_eap_type = tls in the PEAP section. It would make your config file cleaner, if nothing else. > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 3 > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > eaptls_verify returned 3 > eaptls_process returned 3 > TLS_accept:error in SSLv3 read client certificate A > rlm_eap_peap: EAPTLS_SUCCESS > modcall[authenticate]: module "eap" returns handled for request 3 > modcall: group authenticate returns handled for request 3 > Sending Access-Challenge of id 27 to 134.214.202.181:1035 I don'y know OpenSSL and its obscure error messages well, but it seems to have a problem with your client certificate. If i were you, i would check that the right certificate and authentication method are selected in the client's configuration. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html