> > -------- Original-Nachricht -------- > > Datum: Wed, 30 Jan 2008 09:28:31 -0500 > > Von: "Wm. Josiah Erikson" <[EMAIL PROTECTED]> > > An: FreeRadius users mailing list > <[email protected]> > > Betreff: Re: deactivate ldap.attrmap > > > What struck me was that you need more attributes, but maybe I missed > them: > > > > -cacertfile > > -certfile > > -keyfile > > > > -Josiah > > > > I also tried a configuration with these attributes, but the error was the > same. in my config there is at the moment only the "cacertfile", which is > needed for the check of the edirectory-server-certificate. > In my opinion, i don't need the certfile and keyfile for eap-tls, because > the edirectory-server doesn't check the freeradius-server-certificate. Is > this correct?!? > > Sebastian > > > > Sebastian Heil wrote: > > >> Sebastian Heil wrote: > > >> ... > > >> > > >>> i added the following lines to the ldap-section: > > >>> > > >> ... > > >> > > >>> rlm_ldap: could not start TLS Can't contact LDAP server > > >>> > > >> Maybe you need to check that there is an LDAP server listening on > > that > > >> port? > > >> > > >> Alan DeKok. > > >> > > >> > > > > > > thanks for your fast answer, alan. > > > but i am afraid, this is not the solution... the ldap-server is > > listening and even responding to my ldap-request. i captured the > communication > > between the freeradius and the edirectory with etherreal: > > > > > > Someone any idea about the "Encrypted Alert" in no. 14?? Thanks. > > > > > > --------------------- > > > No. Time Source Destination > Protocol > > Info > > > 1 0.000000 radtestclient freeradius RADIUS > > Access-Request(1) (id=74, l=58) > > > > > > 3 0.000749 freeradius edirectory TCP > > 56302 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2 > > > > > > 5 0.012986 edirectory freeradius TCP > > ldaps > 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 > > TSV=3386151196 TSER=445748676 > > > > > > 6 0.013057 freeradius edirectory TCP > > 56302 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 > TSER=3386151196 > > > > > > 7 0.013639 freeradius edirectory SSLv2 > > Client Hello > > > > > > 8 0.021887 edirectory freeradius TLSv1 > > Server Hello, > > > > > > 9 0.022035 freeradius edirectory TCP > > 56302 > ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 > > TSER=3386151206 > > > > > > 10 0.030390 edirectory freeradius TLSv1 > > Certificate > > > > > > 11 0.030550 freeradius edirectory TCP > > 56302 > ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 > > TSER=3386151215 > > > > > > 12 0.032263 freeradius edirectory TLSv1 > > Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message > > > > > > 13 0.048990 edirectory freeradius TLSv1 > > Change Cipher Spec, Encrypted Handshake Message > > > > > > 14 0.049652 freeradius edirectory TLSv1 > > Encrypted Alert > > > > > > 15 0.049923 freeradius edirectory TCP > > 56302 > ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 > > TSER=3386151237 > > > > > > 17 0.057441 edirectory freeradius TCP > > ldaps > 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 > > TSER=445748689 > > > > > > 18 0.057774 edirectory freeradius TLSv1 > > Encrypted Alert > > > > > > 19 0.057807 freeradius edirectory TCP > > 56302 > ldaps [RST] Seq=507 Len=0 > > > > > > 20 0.057880 edirectory freeradius TCP > > ldaps > 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 > > TSER=445748689 > > > > > > 21 0.057903 freeradius edirectory TCP > > 56302 > ldaps [RST] Seq=507 Len=0
I think, i found the problem. the client starts the session with the client hello-packet. I think, the protocol of the client-hello-packet is wrong, its not tls, but sslv2. for example in sslv2 the random-number is missing. Is there a way to change the client-hello packet to tls, not sslv2? Thanks in advance. Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
