RE: RE: need help - force EAP-TTLS to validate the server certificate
Not possible with the Microsoft supplicant as far as I know. PEAP encapsulation doesn't support client certificates. Probably what you want is EAP-TTLS which is not supported by Microsoft. You'll need a third party supplicant for it. Might look at this for reference: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 10:30 AM To: FreeRadius users mailing list Subject: Re: RE: need help - force EAP-TTLS to validate the server certificate A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht > Datum: Tue, 21 Sep 2010 08:02:27 -0500 > Von: "Danner, Mearl" > An: FreeRadius users mailing list > Betreff: RE: need help - force EAP-TTLS to validate the server certificate > EAP/PEAP requires a server certificate. You can opt for the M$ supplicant > to verify it but it does not use a client certificate. > > That's why there is no option to pick the client cert when setting up > PEAP. > > -Original Message- > From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org > [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] > On Behalf Of Klaus Laus > Sent: Tuesday, September 21, 2010 5:17 AM > To: FreeRadius users mailing list > Subject: Re: need help - force EAP-TTLS to validate the server certificate > > The message is clear. Yes I created a client certificate and imported it > into the client. > When I use TLS to connect to the freeradius server I can choose the client > certificate in the TLS dialog and the client can login successfully. > > When I use PEAP to login I have to type in my username and password in the > PEAP dialog from windows but I can not select a client certificate, the > certificate is imported successfully in the windows certificate manager. > Should I be able to choose a client certificate in the PEAP dialog or > should it work when the certificate is saved in the windows certificate > manager > and I only have to type in my username and password in the PEAP dialog? > > I want to allow only PEAP logins (or username/password logins) with client > certificate. > > > > Original-Nachricht ---- > > Datum: Tue, 21 Sep 2010 09:33:29 +0200 > > Von: Alan DeKok > > An: FreeRadius users mailing list > > > Betreff: Re: need help - force EAP-TTLS to validate the server > certificate > > > Klaus Laus wrote: > > > I tried to login from another client, but it´s the same problem. > > > > > > TLS Alert write:fatal:handshake failure > > > TLS_accept:error in SSLv3 read client certificate B > > > rlm_eap: SSL error error:140890C7:SSL > > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > > SSL: SSL_read failed in a system call (-1), TLS session fails. > > > > That message should be clear. The supplicant didn't send a client > > certificate. > > > > Did you create a client certificate? > > > > If so, did you copy it to the client? > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > -- > GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! > Jetzt freischalten! http://portal.gmx.net/de/go/maxdome > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: need help - force EAP-TTLS to validate the server certificate
A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht > Datum: Tue, 21 Sep 2010 08:02:27 -0500 > Von: "Danner, Mearl" > An: FreeRadius users mailing list > Betreff: RE: need help - force EAP-TTLS to validate the server certificate > EAP/PEAP requires a server certificate. You can opt for the M$ supplicant > to verify it but it does not use a client certificate. > > That's why there is no option to pick the client cert when setting up > PEAP. > > -Original Message- > From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org > [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] > On Behalf Of Klaus Laus > Sent: Tuesday, September 21, 2010 5:17 AM > To: FreeRadius users mailing list > Subject: Re: need help - force EAP-TTLS to validate the server certificate > > The message is clear. Yes I created a client certificate and imported it > into the client. > When I use TLS to connect to the freeradius server I can choose the client > certificate in the TLS dialog and the client can login successfully. > > When I use PEAP to login I have to type in my username and password in the > PEAP dialog from windows but I can not select a client certificate, the > certificate is imported successfully in the windows certificate manager. > Should I be able to choose a client certificate in the PEAP dialog or > should it work when the certificate is saved in the windows certificate > manager > and I only have to type in my username and password in the PEAP dialog? > > I want to allow only PEAP logins (or username/password logins) with client > certificate. > > > > Original-Nachricht -------- > > Datum: Tue, 21 Sep 2010 09:33:29 +0200 > > Von: Alan DeKok > > An: FreeRadius users mailing list > > > Betreff: Re: need help - force EAP-TTLS to validate the server > certificate > > > Klaus Laus wrote: > > > I tried to login from another client, but it´s the same problem. > > > > > > TLS Alert write:fatal:handshake failure > > > TLS_accept:error in SSLv3 read client certificate B > > > rlm_eap: SSL error error:140890C7:SSL > > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > > SSL: SSL_read failed in a system call (-1), TLS session fails. > > > > That message should be clear. The supplicant didn't send a client > > certificate. > > > > Did you create a client certificate? > > > > If so, did you copy it to the client? > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > -- > GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! > Jetzt freischalten! http://portal.gmx.net/de/go/maxdome > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > I *only* want to know all the time if it´s possible to login on a client with > user/userpassword and client certificate. I pleased you *only* to say *no* or > *yes* and maybe one sentence more. > > I know you´re a freeradius expert not a M$ expert but I thought when you know > how to set up a server you just know how to configure any clients. > When you don´t want to answer me that question it´s ok, I can search on M$ > websites, you´re right. But I think if you wanted you could simply answer my > question. Honestly, I haven't configured a Windows system for EAP in 3-4 years. And my frustration wasn't about asking a Microsoft question. It's that you were *hiding* information. The information you hid from us was *exactly* the information needed to solve the problem. That was not nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
I *only* want to know all the time if it´s possible to login on a client with user/userpassword and client certificate. I pleased you *only* to say *no* or *yes* and maybe one sentence more. I know you´re a freeradius expert not a M$ expert but I thought when you know how to set up a server you just know how to configure any clients. When you don´t want to answer me that question it´s ok, I can search on M$ websites, you´re right. But I think if you wanted you could simply answer my question. nevertheless thank you for the great help with the configuration of the server. Greetings misterklaus Original-Nachricht > Datum: Tue, 21 Sep 2010 14:21:26 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > The message is clear. Yes I created a client certificate and imported it > into the client. > > When I use TLS to connect to the freeradius server I can choose the > client certificate in the TLS dialog and the client can login successfully. > > > > When I use PEAP to login I have to type in my username and password in > the PEAP dialog from windows but I can not select a client certificate, the > certificate is imported successfully in the windows certificate manager. > > So... the issue is that you haven't configured the client to use the > client certificate. > > > Should I be able to choose a client certificate in the PEAP dialog or > should it work when the certificate is saved in the windows certificate > manager and I only have to type in my username and password in the PEAP > dialog? > > Ask Microsoft how their software works. It's annoying to have you ask > a question here when you *already* know that you haven't configured the > client certificate for PEAP. > > It means that you *know* it's not sending a client certificate. You > *know* you haven't configured one on the client. And you *still* post > the FreeRADIUS debug output, asking us to debug the *server* to see why > the client certificate isn't being used. > > Microsoft has documentation for Windows. Read it. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: need help - force EAP-TTLS to validate the server certificate
EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht > Datum: Tue, 21 Sep 2010 09:33:29 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > I tried to login from another client, but it´s the same problem. > > > > TLS Alert write:fatal:handshake failure > > TLS_accept:error in SSLv3 read client certificate B > > rlm_eap: SSL error error:140890C7:SSL > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > SSL: SSL_read failed in a system call (-1), TLS session fails. > > That message should be clear. The supplicant didn't send a client > certificate. > > Did you create a client certificate? > > If so, did you copy it to the client? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > The message is clear. Yes I created a client certificate and imported it into > the client. > When I use TLS to connect to the freeradius server I can choose the client > certificate in the TLS dialog and the client can login successfully. > > When I use PEAP to login I have to type in my username and password in the > PEAP dialog from windows but I can not select a client certificate, the > certificate is imported successfully in the windows certificate manager. So... the issue is that you haven't configured the client to use the client certificate. > Should I be able to choose a client certificate in the PEAP dialog or should > it work when the certificate is saved in the windows certificate manager and > I only have to type in my username and password in the PEAP dialog? Ask Microsoft how their software works. It's annoying to have you ask a question here when you *already* know that you haven't configured the client certificate for PEAP. It means that you *know* it's not sending a client certificate. You *know* you haven't configured one on the client. And you *still* post the FreeRADIUS debug output, asking us to debug the *server* to see why the client certificate isn't being used. Microsoft has documentation for Windows. Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht > Datum: Tue, 21 Sep 2010 09:33:29 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > I tried to login from another client, but it´s the same problem. > > > > TLS Alert write:fatal:handshake failure > > TLS_accept:error in SSLv3 read client certificate B > > rlm_eap: SSL error error:140890C7:SSL > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > SSL: SSL_read failed in a system call (-1), TLS session fails. > > That message should be clear. The supplicant didn't send a client > certificate. > > Did you create a client certificate? > > If so, did you copy it to the client? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > I tried to login from another client, but it´s the same problem. > > TLS Alert write:fatal:handshake failure > TLS_accept:error in SSLv3 read client certificate B > rlm_eap: SSL error error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
I tried to login from another client, but it´s the same problem.
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
sorry that I ask again but I want to be sure that I didn´t understand anything
wrong.
Is it not generally possible to configure the freeradius server so that only
clients with username/password and client certificate can login successfully?
For expample only users who choose PEAP with the right username and password
and having a client certificate can login successfully.
Or is the problem with the error in reading client certificate a problem in the
clients?
Thanks a lot!
Original-Nachricht
> Datum: Fri, 17 Sep 2010 11:26:56 -0400
> Von: John Dennis
> An: FreeRadius users mailing list
> CC: Klaus Laus
> Betreff: Re: need help - force EAP-TTLS to validate the server certificate
> On 09/17/2010 11:00 AM, Klaus Laus wrote:
> >
> > thanks a lot for your answer.
> >> Either move the "files" module before "eap", or use unlang to set it:
> >>
> >> authorize {
> >> ...
> >> update control {
> >> EAP-TLS-Require-Client-Cert = yes
> >> }
> >> eap
> >> ...
> >> }
> > I did the changes in the authorize section, and freeradius seems to
> require the client certificate. But the server is not accept my certificate. I
> don't think that the certificate is bad because I can login any client with
> the same certificate when I use TLS instead of PEAP.
> > This is my way to login with PEAP on a windows xp client maybe I do
> anything wrong? :
> > I import the pksc12 certificate from the freeradius server in the
> windows xp certificate management. When I type certmgr.msc under "run" I can
> see
> that the certificate is successfully imported. Then I scan for the wireless
> networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in
> testuser as user with the correct password.
> > Here you can see the debug output (freeradius did not find my
> certificate):
>
> That's right, the server didn't get your cert, it's right in the debug.
> As Alan said this isn't a server issue, it's a client issue, figure out
> why your client is not returning a cert.
>
> > TLS Alert write:fatal:handshake failure
> > TLS_accept:error in SSLv3 read client certificate B
> > rlm_eap: SSL error error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> > SSL: SSL_read failed in a system call (-1), TLS session fails.
> --
> John Dennis
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
--
GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 Euro/mtl.!*
http://portal.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
On 09/17/2010 11:00 AM, Klaus Laus wrote:
thanks a lot for your answer.
Either move the "files" module before "eap", or use unlang to set it:
authorize {
...
update control {
EAP-TLS-Require-Client-Cert = yes
}
eap
...
}
I did the changes in the authorize section, and freeradius seems to require the
client certificate. But the server is not accept my certificate. I don't think
that the certificate is bad because I can login any client with the same
certificate when I use TLS instead of PEAP.
This is my way to login with PEAP on a windows xp client maybe I do anything
wrong? :
I import the pksc12 certificate from the freeradius server in the windows xp certificate
management. When I type certmgr.msc under "run" I can see that the certificate
is successfully imported. Then I scan for the wireless networks and connect to wifix, I
use PEAP with MSCHAP v.2 and type in testuser as user with the correct password.
Here you can see the debug output (freeradius did not find my certificate):
That's right, the server didn't get your cert, it's right in the debug.
As Alan said this isn't a server issue, it's a client issue, figure out
why your client is not returning a cert.
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
t;wifix"
Aruba-Location-Id = "1.1.1"
Message-Authenticator = 0x5350cc86ad25169c3c750d66e27a7a87
+- entering group authorize {...}
++[control] returns notfound
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 8 to 10.65.100.50 port 32791
EAP-Message =
0x0106029e1900aeeae728dc66b68e1d8a309139e376e0f60d810a7505266b4b94988e4b1ceedae8898a667d8f04706261a0e8a08fabe186dde88221a3d58bec54e1ab5e5978bef73257f30637509ea41c24363c7f92d9af8eeb9ad24d11cd27824b1ec1e01f2821054184f28a596d23d14d50a928c180c782919b58273058f6160301018d0c0001890040dd176c46152fe3c986afa59e242da816936065e55afc075caad17d1a554fa9185954096f6eb07311af328409df210464d11d1280d5cb083a2a09de1eca09bc1f000105004055311a5874c6e2b72f961e668c6b3d2d601b9e6c36fa6315071d69e8c5138a3851327f2de71b320c924b04d10069
EAP-Message =
0xc65cb7bcb9c577f35991aa38aa19aa4906c601004d1186b953e90603a1826fd3e48b6dc487d3fd5451923e97dd9dc9e5b4e9485940eb47f64c2d54e2a4998f5b0a56766ee64ce2cc9f677a1e0dec6fa0b990bc6717f48981b2ec4e3b35ef56c29763c5505c9fc1014c31923a439e20a16b49f9812bab931d0eb5f862dd274124d3e067d63fe9303a61a7e37d51d18ed0521b6dbd12184e46ca95f30cefd9f94e29bf2cd28babb6a56f03a111ecfea8eb7b6ebf8ffc55871f3ad45fb5edd5a1cc0c12b9b4223489574cb45f4268662fa805844acf1b080b88760edfa6f1198814ab12a2e87262245ed54b9a634f14743e83aa4edb1219fec8815e9a01ca
EAP-Message =
0xf5699d21162364c1ebc9a42d907af3559344c46a17418316030100880d80050304010240007800763074310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267311c301a060355040a13135361757465722d43756d756c757320476d6248311730150603550403130e4d6172636f204b616c6d626163680e00
Message-Authenticator = 0x
State = 0x3f25f9043b23e0753b744dff47904da8
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.65.100.50 port 32791, id=9,
length=310
User-Name = "testuser"
NAS-IP-Address = 10.65.100.50
NAS-Identifier = "other"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022FB1D434E"
Called-Station-Id = "001B2F249FE0"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0206009c1980009216030100070b0300160301004610420040d2f3945de07408d38befe9ee2604880eeff1ed35718731b387080e2941942cbb8fe43238881d111b1a36a020e5c21a5739c9d0a66c3c955cc84baeb3138f2b0914030100010116030100308cf41a7573c4ad40a8161b748b11fa3a9888e0fa13c3d2f41cc6a7703902fa736455ce112c2951d5fe166af5041d8294
State = 0x3f25f9043b23e0753b744dff47904da8
Aruba-Essid-Name = "wifix"
Aruba-Location-Id = "1.1.1"
Message-Authenticator = 0x0aa542dcaac69b04c228e15d97addc5a
+- entering group authorize {...}
++[control] returns notfound
[eap] EAP packet type response id 6 length 156
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 146
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0007], Certificate
[peap] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 9 to 10.65.100.50 port 32791
EAP-Message = 0x04060004
Message-Authenticator = 0x
Waking up in 3.7 seconds.
Cleaning up request 0 ID 4 with timestamp +16
Cleaning up request 1 ID 5 with timestamp +16
Waking up in 0.2 seconds.
Cleaning up request 2 ID 6 with timestamp +16
Cleaning up
Re: need help - force EAP-TTLS to validate the server certificate
On 16/09/10 14:35, Klaus Laus wrote:
ok, this is the debug output:
FreeRADIUS Version 2.1.6, for host i686-pc-linux-gnu, built on Oct 27 2009 at
17:05:49
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > I did this, but the clients can login furthermore without any client > certificate for example with PEAP or EAP-TTLS. Here is my users file: Is it that hard to show the debug output? > Here's the eap.conf file Neither the documentation or messages on this list ask for the EAP configuration. > Any idea's what is wrong here? Thanks If you're not going to post the debug output, we have no idea what's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
> Put this into the "users" file:
>
> DEFAULT EAP-TLS-Require-Client-Cert = yes
I did this, but the clients can login furthermore without any client
certificate for example with PEAP or EAP-TTLS. Here is my users file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
testuserCleartext-Password := "xxx"
Reply-Message = "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
Here's the eap.conf file
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = /etc/ssl
cadir = /etc/ssl
private_key_password = xx
private_key_file = ${certdir}/serverkey.pem
certificate_file = ${certdir}/servercert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
check_crl = no
CA_path = /etc/ssl
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
Any idea's what is wrong here? Thanks
Original-Nachricht
> Datum: Thu, 16 Sep 2010 09:54:28 +0200
> Von: Alan DeKok
> An: FreeRadius users mailing list
> Betreff: Re: need help - force EAP-TTLS to validate the server certificate
> Klaus Laus wrote:
> > Thanks a lot Alan DeKok, do I have any possibility to permit login only
> persons with username/password and client certificate?
> > All authentications methods works fine on my server, but I´ll only
> permit login with username/password and client certificate. Which code I need
> to set in users/eap.conf ?
> > TLS works fine on my server and the users can login themselves with the
> client certificate, but I don´t want allow login without
> username/password, also I don´t want allow logins with username and password
> but without
> client certificates.
>
> Put this into the "users" file:
>
> DEFAULT EAP-TLS-Require-Client-Cert = yes
>
> This will require client certificates for *all* EAP methods. If you
> want it to be more specific, see "man unlang" for writing general
> policies.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
GRATIS: Spider-Man 1-3 sowie 300 weitere Videos!
Jetzt freischalten! http://portal.gmx.net/de/go/maxdome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > Thanks a lot Alan DeKok, do I have any possibility to permit login only > persons with username/password and client certificate? > All authentications methods works fine on my server, but I´ll only permit > login with username/password and client certificate. Which code I need to set > in users/eap.conf ? > TLS works fine on my server and the users can login themselves with the > client certificate, but I don´t want allow login without username/password, > also I don´t want allow logins with username and password but without client > certificates. Put this into the "users" file: DEFAULT EAP-TLS-Require-Client-Cert = yes This will require client certificates for *all* EAP methods. If you want it to be more specific, see "man unlang" for writing general policies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Thanks a lot Alan DeKok, do I have any possibility to permit login only persons with username/password and client certificate? All authentications methods works fine on my server, but I´ll only permit login with username/password and client certificate. Which code I need to set in users/eap.conf ? TLS works fine on my server and the users can login themselves with the client certificate, but I don´t want allow login without username/password, also I don´t want allow logins with username and password but without client certificates. Best Greetings, misterklaus Original-Nachricht > Datum: Wed, 15 Sep 2010 10:47:52 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > Hello, I have one question, is it possible to configure my freeradius > server so that only clients with a ca certificate can login themselves with > their username and password? I want to configure my freeradius server so > that the users can only login after the successfully server certificate > validation. > > At the moment I use EAP-TTLS for authentication, but the options in the > clients "servercertificate validation" is optional. I want to use EAP-TTLS > and force the ca certificate on the clients. > > You can't force the client to validate the CA cert. That is a > configuration which needs to be set on the client. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > Hello, I have one question, is it possible to configure my freeradius server > so that only clients with a ca certificate can login themselves with their > username and password? I want to configure my freeradius server so that the > users can only login after the successfully server certificate validation. > At the moment I use EAP-TTLS for authentication, but the options in the > clients "servercertificate validation" is optional. I want to use EAP-TTLS > and force the ca certificate on the clients. You can't force the client to validate the CA cert. That is a configuration which needs to be set on the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
