Reveal MAP escribió:
> installing ca.der and putting user && pass into client machine, the
authentication doesn't work?
-- no, it doesn't!
> you only need ca.der but, if you have an active directory like LDAP,
check if your comunication with AD server also have tls authentication.
Into ldap module you can configurate another tls block, which it's
different than tls block into eap module.
-- Well, the howto espalaining how freeradius has to authenticate
users against Active Directory says nothing about ldap config files on
linux server. it just gives tips about samba, using winbind,
ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius.
I ever success this kind of authentication without reading or changing
a line of ldap module in freeradius.
and i think, authenticating users against Openldap won't be managed
like authentication of freeradius using active directory.
>I don't know if it is your problem, but I suppose that comunication
between ldap server and radius can have different certificates, from
different ca's than eap comunication.
my wireless network is secured with wpa/wpa2 entreprise, requiring a
RADIUS server to perform authentication. so i am doing 802.1x
authentication which exploit a valid PKI,regardless of the base of
users. this is how i understand it.
> If it is your problem, I would
check it. also would be good you post de debug of radius to see which
certificate can't validate.
see the logf there: http://tinypaste.com/5b99b
active and valid user is:
login: glouglou
password: glouglou
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
password:
NT_STATUS_OK: Success (0x0)
aaa:~ #
:/ Any help will be appreciated. these days i am wondering about
validity of the Server certificate!
I have to tell you that, in my case, if i try a peap authentication
against Active Directoiry with wrong users credentials, i have an
error message saying that login or password is incorrect. with good
users credential, i just obtain what you can see in the Radiusd -X
output (http://tinypaste.com/5b99b)
thank you
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
but I think you don't have any problem with certificates, looking at
radius debug:
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
the client is telling you that has verified the server cert (against
ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase
is finished. I think you have problems with mschapv2 phase, assuming
your sql querys working.
Your problem begin here:
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
expand: --username=%{mschap:User-Name} -> --username=glouglou
I think......
I've never configured peap/mschapv2 but sometimes i've read, not
carefully, about some dependencies between mschap module and mschapv2 or
something like that.
hope this help you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
