Stefan Puch wrote:
@Alan DeKok
I'll bet that if you posted the final Access-Accept from 1.1.7 and from
2.0.1, that they would be *different*. If you make them the same, I'll also
bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
"default"-file, which setting were included in radiusd.conf in previous version
of freeradius
Stop fighting with the certificates. You're wasting your time, and confusing
yourself. Start looking at the contents of the Access-Accept, which is the
only thing that really matters.
With that hint I was able to get Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would be no problem for you, the problem with the
username of the devices.
If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a
working configuration, but finally it should work also with that Option enabled.
The problem of the Windows Mobile devices is, that they always submit as
username "DOMAIN\user". If you leave the DOMAINNAME blank still "\user" is used.
Since the radiusd.conf hints say, that I should NOT use the option
"with_ntdomain_hack" (and when I tested it still didn't work for me) I wanted to
use the "Realm module".
But at the moment I didn't fully understand how realms work, although I did read
the Posting on this mailinglist (from 2004) and the manpage.
I Know that I will have to use the realm module
You dont... your using 2.01 ?
Write a regular expression to strip off the proceeding \
Heres one I did earlier.... If I remember correctly it's \\\\ to escape
to one \ in the username ... \\ To escape it in the RegExp string, \\ to
make \ literal in the regular expression...
authorize {
# USERNAME FORMATTING
# User-Name Formatting, extracts Realm, User. Ignores NT domain
# This will accept
# * user
# * [EMAIL PROTECTED]
# * ntdomain\\user
# * [EMAIL PROTECTED]
if("%{User-Name}" =~ /\\\\?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) {
update request {
Stripped-User-Name = "%{1}"
}
}
...
}
You then use:
check_cert_cn = %{Stripped-User-Name}
PS: When I've got a working configuration for the Windows Mobile devices, I'm
going to write a little HOWTO like the one "EAP/TLS Setup for FreeRADIUS and
Windows XP Supplicant" just for Mobile PDA's
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
