On Tue, Mar 29, 2005, Mametz Laurent wrote:
> Hello,
>
> I want to make an authentification with PEAP TLS.
> I think that my tls tunnel works fine, but i can't authenticate any user
> from my windows XP SP2. I have an AP netgear WG302, and my freeradius
> run on Mandrake 10.1.
> I read the FAQ and the news but, i am always in black ...
> My conf.
> users
> ---------------
> toto User-Password == "toto"
That is useless if you just want to authenticate by validating the
client SSL certificate.
> eap.conf
> ------------
> eap {
> peap {
> default_eap_type = mschapv2
> }
> }
>
> mschapv2 {
> }
Your freeradius is configured to do PEAP MSCHAPv2 by default, and not
PEAP TLS. I suppose it's just a default behavior and it won't interfere
if the supplicant explicitely requests PEAP TLS, but maybe you should
disable the MSCHAP stuff and set default_eap_type = tls in the PEAP
section. It would make your config file cleaner, if nothing else.
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> eaptls_verify returned 3
> eaptls_process returned 3
> TLS_accept:error in SSLv3 read client certificate A
> rlm_eap_peap: EAPTLS_SUCCESS
> modcall[authenticate]: module "eap" returns handled for request 3
> modcall: group authenticate returns handled for request 3
> Sending Access-Challenge of id 27 to 134.214.202.181:1035
I don'y know OpenSSL and its obscure error messages well, but it seems
to have a problem with your client certificate. If i were you, i would
check that the right certificate and authentication method are selected
in the client's configuration.
--
Alexandre Coninx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
