Ivan Kalik wrote: > Please don't mess with configuration. Default one works. Your problem > was with the user certificate.
http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/ConfiguringFreeRADIUSwithIDMbyExample_Dec_07_WW_Eng_Ltr.pdf > On page 52 you have a picture of the Details tab list with Enhanced Key > Usage filed containing client OID. Does your client certificate have > that field and that value? Hi Ivan! you can view screenshots of the certificate here: - CA Certificate that i imported on XP with DER format: http://img357.imageshack.us/img357/2264/cacertificate1wj4.jpg - Client Certificate with p12 format: http://img164.imageshack.us/img164/2894/certifclient1kf1.jpg http://img164.imageshack.us/img164/7527/certifclient2rv3.jpg sorry for the delay, i was in a trip! I am still blocked on "Identity validation when i try to use eap-tls" attached files contain snapshot of my CA certificate (cacert.der) and my client certificate (joel_certs.p12) olus the command lines applied to obtain them. Please let me know if they are corrects, like i suppose it to be! here is my eap-tls configuration: #################################################################### Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/CA/other_keys/servradiuskey.pem" certificate_file = "/etc/raddb/certs/CA/certs/serverradiuscert.pem" CA_file = "/etc/raddb/certs/CA/cacert.pem" private_key_password = "wireless" dh_file = "/etc/raddb/certs/CA/dh" random_file = "/etc/raddb/certs/CA/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ############################################################### My scripts: ###################################################################### # Creating a new self-signed CA certificate ###################################################################### cakey.key cacert.pem: openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config ./ca.cnf # DER Forma of rhe CA certificate, that i imported on windows XP ca.der: ca.pem (DER format) openssl x509 -inform PEM -outform DER -in cac.pem -out ca.der ###################################################################### # Creating a certificate request for Server ###################################################################### openssl req -newkey rsa:1024 -keyout /etc/raddb/certs/CA/other_keys/servradiuskey.pem -out /etc/raddb/certs/CA/req/servradius_cert.req ###################################################################### # Signing the Server certificate with the correctextension ###################################################################### openssl ca -out /etc/raddb/certs/CA/certs/serverradiuscert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/certs/CA/req/servradius_cert.req ###################################################################### # Creating a certificate request for Client ###################################################################### openssl req -new -nodes -keyout /etc/raddb/certs/CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/req/joel_cert.req ###################################################################### # Signing the Client certificate with the correctextension ###################################################################### openssl ca -out /etc/raddb/certs/CA/certs/joel_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/certs/CA/req/joel_cert.req ###################################################################### # Converting the Client certificate in p12 file ###################################################################### openssl pkcs12 -export -in CA/certs/joel_cert.pem -inkey CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/certs/joel_certs.p12 -clcerts ###################################################################### ** lemme know if i did something wrong creating my certificate please** That is all i did. Thank you =================================================================================== ====================================================================================================================================================================== Please don't mess with configuration. Default one works. Your problem was with the user certificate. http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/ConfiguringFreeRADIUSwithIDMbyExample_Dec_07_WW_Eng_Ltr.pdf On page 52 you have a picture of the Details tab list with Enhanced Key Usage filed containing client OID. Does your client certificate have that field and that value? Ivan Kalik Kalik Informatika ISP Dana 7/5/2008, "Joel MBA OYONE" <[EMAIL PROTECTED]> piše: >Ok, > >i think i really missed something! that config should take less than 15 minutes but i can't solve my problem for more than a week. > >Alan or Ivan, could you give me a half our to help me to fix my RADIUS EAP-TLS config please. i would like to give you a full access to my network and my terminal too, so the diagnostic should be very very easy for you! >is it possible? > > >MBA OYONE JoĂŤl >Lot. El Firdaous >Bât GH20, Porte A 204, Appt 8 >20000 Oulfa >Casablanca - Maroc > >TĂŠl. : +212 69 25 85 70 > > >----- Message d'origine ---- >De : Alan DeKok <[EMAIL PROTECTED]> >Ă� : FreeRadius users mailing list <[email protected]> >EnvoyĂŠ le : Lundi, 5 Mai 2008, 17h18mn 10s >Objet : Re: Re : howto EAP-TLS on freeradius 2.0.2-3 ?? > >Joel MBA OYONE wrote: >... >> The VLAN attributes defined in RFC3580 are as follows: >> â�˘ Tunnel-Type=VLAN (13) >> â�˘ Tunnel-Medium-Type=802 >> â�˘ Tunnel-Private-Group-ID=VLANID >> >> NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, >> which >> is why client entries use 6 for the Tunnel-Medium-Type value. > > No. For Tunnel-Medium-Type, "802" is a *name*, not a *number*. See >Section 3.2 of RFC 2868: > >... > Value > The Value field is three octets and contains one of the values > listed under "Address Family Numbers" in [14]. For the sake of > convenience, a relevant excerpt of this list is reproduced below. > > 1 IPv4 (IP version 4) > 2 IPv6 (IP version 6) > 3 NSAP > 4 HDLC (8-bit multidrop) > 5 BBN 1822 > 6 802 (includes all 802 media plus Ethernet "canonical format") >... > > FreeRADIUS gets it *right*. Many NAS vendors get it *wrong*. > >> To create a user and assign the user to a particular VLAN by using >> FreeRADIUS, open the >> etc/raddb/users file, which contains the user account information, and add >> for the new user. >> The following example shows the entry for a user in the users file. The >> username is >> â��johndoe,â�� the password is â��test1234.â�� The user is assigned to VLAN >> 77. >> >> johndoe Auth-Type: = EAP, User-Password == â��test1234" >> Tunnel-Type = 13, >> Tunnel-Medium-Type = 6, > > Or: Tunnel-Medium-Type = IEEE-802 >.... >> >> in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management and sometime i receive the right ip adresss in the right IP Pool. ut lost it immediately, maybe cause of the repeating cycle of athentication sequence. >> AND, the client certificate, signed by the Server (not the CA root) is still >> with the same message. >> >> >> hope it would be helpfull !! > > Arg. Microsoft keeps putting magic nonsense into their OS's to make >it difficult to use non-Microsoft RADIUS servers. > > And yes, this *is* a problem even inside of Microsoft! So if you're >finding it a PITA to get it working, rest assured that Microsoft does, too. > > Alan DeKok. >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >__________________________________________________ >Do You Yahoo!? >En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible >contre les messages non sollicitĂŠs >http://mail.yahoo.fr Yahoo! Mail > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail -----La pièce jointe correspondante suit----- ###################################################################### # # Create a new self-signed CA certificate # ###################################################################### cakey.key cacert.pem: openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config ./ca.cnf ca.der: ca.pem openssl x509 -inform PEM -outform DER -in cac.pem -out ca.der ###################################################################### # requete de cerificat server openssl req -newkey rsa:1024 -keyout /etc/raddb/certs/CA/other_keys/servradiuskey.pem -out /etc/raddb/certs/CA/req/servradius_cert.req # Signature du certificat server openssl ca -out /etc/raddb/certs/CA/certs/serverradiuscert.pem -extensions xpserver_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/certs/CA/req/servradius_cert.req =================================================================================== ====================================================================================================================================================================== # requete de cerificat client openssl req -new -nodes -keyout /etc/raddb/certs/CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/req/joel_cert.req # Signature du certificat client openssl ca -out /etc/raddb/certs/CA/certs/joel_cert.pem -extensions xpclient_ext -extfile /etc/ssl/xpextensions -infiles /etc/raddb/certs/CA/req/joel_cert.req # conversion du certificat client au format pkcs12 openssl pkcs12 -export -in CA/certs/joel_cert.pem -inkey CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/certs/joel_certs.p12 -clcerts __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
