RE: RE: need help - force EAP-TTLS to validate the server certificate
Not possible with the Microsoft supplicant as far as I know. PEAP encapsulation doesn't support client certificates. Probably what you want is EAP-TTLS which is not supported by Microsoft. You'll need a third party supplicant for it. Might look at this for reference: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 10:30 AM To: FreeRadius users mailing list Subject: Re: RE: need help - force EAP-TTLS to validate the server certificate A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht > Datum: Tue, 21 Sep 2010 08:02:27 -0500 > Von: "Danner, Mearl" > An: FreeRadius users mailing list > Betreff: RE: need help - force EAP-TTLS to validate the server certificate > EAP/PEAP requires a server certificate. You can opt for the M$ supplicant > to verify it but it does not use a client certificate. > > That's why there is no option to pick the client cert when setting up > PEAP. > > -Original Message- > From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org > [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] > On Behalf Of Klaus Laus > Sent: Tuesday, September 21, 2010 5:17 AM > To: FreeRadius users mailing list > Subject: Re: need help - force EAP-TTLS to validate the server certificate > > The message is clear. Yes I created a client certificate and imported it > into the client. > When I use TLS to connect to the freeradius server I can choose the client > certificate in the TLS dialog and the client can login successfully. > > When I use PEAP to login I have to type in my username and password in the > PEAP dialog from windows but I can not select a client certificate, the > certificate is imported successfully in the windows certificate manager. > Should I be able to choose a client certificate in the PEAP dialog or > should it work when the certificate is saved in the windows certificate > manager > and I only have to type in my username and password in the PEAP dialog? > > I want to allow only PEAP logins (or username/password logins) with client > certificate. > > > > Original-Nachricht ---- > > Datum: Tue, 21 Sep 2010 09:33:29 +0200 > > Von: Alan DeKok > > An: FreeRadius users mailing list > > > Betreff: Re: need help - force EAP-TTLS to validate the server > certificate > > > Klaus Laus wrote: > > > I tried to login from another client, but it´s the same problem. > > > > > > TLS Alert write:fatal:handshake failure > > > TLS_accept:error in SSLv3 read client certificate B > > > rlm_eap: SSL error error:140890C7:SSL > > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > > SSL: SSL_read failed in a system call (-1), TLS session fails. > > > > That message should be clear. The supplicant didn't send a client > > certificate. > > > > Did you create a client certificate? > > > > If so, did you copy it to the client? > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > -- > GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! > Jetzt freischalten! http://portal.gmx.net/de/go/maxdome > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: need help - force EAP-TTLS to validate the server certificate
A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht > Datum: Tue, 21 Sep 2010 08:02:27 -0500 > Von: "Danner, Mearl" > An: FreeRadius users mailing list > Betreff: RE: need help - force EAP-TTLS to validate the server certificate > EAP/PEAP requires a server certificate. You can opt for the M$ supplicant > to verify it but it does not use a client certificate. > > That's why there is no option to pick the client cert when setting up > PEAP. > > -Original Message- > From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org > [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] > On Behalf Of Klaus Laus > Sent: Tuesday, September 21, 2010 5:17 AM > To: FreeRadius users mailing list > Subject: Re: need help - force EAP-TTLS to validate the server certificate > > The message is clear. Yes I created a client certificate and imported it > into the client. > When I use TLS to connect to the freeradius server I can choose the client > certificate in the TLS dialog and the client can login successfully. > > When I use PEAP to login I have to type in my username and password in the > PEAP dialog from windows but I can not select a client certificate, the > certificate is imported successfully in the windows certificate manager. > Should I be able to choose a client certificate in the PEAP dialog or > should it work when the certificate is saved in the windows certificate > manager > and I only have to type in my username and password in the PEAP dialog? > > I want to allow only PEAP logins (or username/password logins) with client > certificate. > > > > Original-Nachricht -------- > > Datum: Tue, 21 Sep 2010 09:33:29 +0200 > > Von: Alan DeKok > > An: FreeRadius users mailing list > > > Betreff: Re: need help - force EAP-TTLS to validate the server > certificate > > > Klaus Laus wrote: > > > I tried to login from another client, but it´s the same problem. > > > > > > TLS Alert write:fatal:handshake failure > > > TLS_accept:error in SSLv3 read client certificate B > > > rlm_eap: SSL error error:140890C7:SSL > > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > > SSL: SSL_read failed in a system call (-1), TLS session fails. > > > > That message should be clear. The supplicant didn't send a client > > certificate. > > > > Did you create a client certificate? > > > > If so, did you copy it to the client? > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > -- > GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! > Jetzt freischalten! http://portal.gmx.net/de/go/maxdome > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > I *only* want to know all the time if it´s possible to login on a client with > user/userpassword and client certificate. I pleased you *only* to say *no* or > *yes* and maybe one sentence more. > > I know you´re a freeradius expert not a M$ expert but I thought when you know > how to set up a server you just know how to configure any clients. > When you don´t want to answer me that question it´s ok, I can search on M$ > websites, you´re right. But I think if you wanted you could simply answer my > question. Honestly, I haven't configured a Windows system for EAP in 3-4 years. And my frustration wasn't about asking a Microsoft question. It's that you were *hiding* information. The information you hid from us was *exactly* the information needed to solve the problem. That was not nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
I *only* want to know all the time if it´s possible to login on a client with user/userpassword and client certificate. I pleased you *only* to say *no* or *yes* and maybe one sentence more. I know you´re a freeradius expert not a M$ expert but I thought when you know how to set up a server you just know how to configure any clients. When you don´t want to answer me that question it´s ok, I can search on M$ websites, you´re right. But I think if you wanted you could simply answer my question. nevertheless thank you for the great help with the configuration of the server. Greetings misterklaus Original-Nachricht > Datum: Tue, 21 Sep 2010 14:21:26 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > The message is clear. Yes I created a client certificate and imported it > into the client. > > When I use TLS to connect to the freeradius server I can choose the > client certificate in the TLS dialog and the client can login successfully. > > > > When I use PEAP to login I have to type in my username and password in > the PEAP dialog from windows but I can not select a client certificate, the > certificate is imported successfully in the windows certificate manager. > > So... the issue is that you haven't configured the client to use the > client certificate. > > > Should I be able to choose a client certificate in the PEAP dialog or > should it work when the certificate is saved in the windows certificate > manager and I only have to type in my username and password in the PEAP > dialog? > > Ask Microsoft how their software works. It's annoying to have you ask > a question here when you *already* know that you haven't configured the > client certificate for PEAP. > > It means that you *know* it's not sending a client certificate. You > *know* you haven't configured one on the client. And you *still* post > the FreeRADIUS debug output, asking us to debug the *server* to see why > the client certificate isn't being used. > > Microsoft has documentation for Windows. Read it. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: need help - force EAP-TTLS to validate the server certificate
EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht > Datum: Tue, 21 Sep 2010 09:33:29 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > I tried to login from another client, but it´s the same problem. > > > > TLS Alert write:fatal:handshake failure > > TLS_accept:error in SSLv3 read client certificate B > > rlm_eap: SSL error error:140890C7:SSL > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > SSL: SSL_read failed in a system call (-1), TLS session fails. > > That message should be clear. The supplicant didn't send a client > certificate. > > Did you create a client certificate? > > If so, did you copy it to the client? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > The message is clear. Yes I created a client certificate and imported it into > the client. > When I use TLS to connect to the freeradius server I can choose the client > certificate in the TLS dialog and the client can login successfully. > > When I use PEAP to login I have to type in my username and password in the > PEAP dialog from windows but I can not select a client certificate, the > certificate is imported successfully in the windows certificate manager. So... the issue is that you haven't configured the client to use the client certificate. > Should I be able to choose a client certificate in the PEAP dialog or should > it work when the certificate is saved in the windows certificate manager and > I only have to type in my username and password in the PEAP dialog? Ask Microsoft how their software works. It's annoying to have you ask a question here when you *already* know that you haven't configured the client certificate for PEAP. It means that you *know* it's not sending a client certificate. You *know* you haven't configured one on the client. And you *still* post the FreeRADIUS debug output, asking us to debug the *server* to see why the client certificate isn't being used. Microsoft has documentation for Windows. Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht > Datum: Tue, 21 Sep 2010 09:33:29 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > I tried to login from another client, but it´s the same problem. > > > > TLS Alert write:fatal:handshake failure > > TLS_accept:error in SSLv3 read client certificate B > > rlm_eap: SSL error error:140890C7:SSL > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > SSL: SSL_read failed in a system call (-1), TLS session fails. > > That message should be clear. The supplicant didn't send a client > certificate. > > Did you create a client certificate? > > If so, did you copy it to the client? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > I tried to login from another client, but it´s the same problem. > > TLS Alert write:fatal:handshake failure > TLS_accept:error in SSLv3 read client certificate B > rlm_eap: SSL error error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. sorry that I ask again but I want to be sure that I didn´t understand anything wrong. Is it not generally possible to configure the freeradius server so that only clients with username/password and client certificate can login successfully? For expample only users who choose PEAP with the right username and password and having a client certificate can login successfully. Or is the problem with the error in reading client certificate a problem in the clients? Thanks a lot! Original-Nachricht > Datum: Fri, 17 Sep 2010 11:26:56 -0400 > Von: John Dennis > An: FreeRadius users mailing list > CC: Klaus Laus > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > On 09/17/2010 11:00 AM, Klaus Laus wrote: > > > > thanks a lot for your answer. > >> Either move the "files" module before "eap", or use unlang to set it: > >> > >> authorize { > >> ... > >> update control { > >> EAP-TLS-Require-Client-Cert = yes > >> } > >> eap > >> ... > >> } > > I did the changes in the authorize section, and freeradius seems to > require the client certificate. But the server is not accept my certificate. I > don't think that the certificate is bad because I can login any client with > the same certificate when I use TLS instead of PEAP. > > This is my way to login with PEAP on a windows xp client maybe I do > anything wrong? : > > I import the pksc12 certificate from the freeradius server in the > windows xp certificate management. When I type certmgr.msc under "run" I can > see > that the certificate is successfully imported. Then I scan for the wireless > networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in > testuser as user with the correct password. > > Here you can see the debug output (freeradius did not find my > certificate): > > That's right, the server didn't get your cert, it's right in the debug. > As Alan said this isn't a server issue, it's a client issue, figure out > why your client is not returning a cert. > > > TLS Alert write:fatal:handshake failure > > TLS_accept:error in SSLv3 read client certificate B > > rlm_eap: SSL error error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > SSL: SSL_read failed in a system call (-1), TLS session fails. > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ -- GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
On 09/17/2010 11:00 AM, Klaus Laus wrote: thanks a lot for your answer. Either move the "files" module before "eap", or use unlang to set it: authorize { ... update control { EAP-TLS-Require-Client-Cert = yes } eap ... } I did the changes in the authorize section, and freeradius seems to require the client certificate. But the server is not accept my certificate. I don't think that the certificate is bad because I can login any client with the same certificate when I use TLS instead of PEAP. This is my way to login with PEAP on a windows xp client maybe I do anything wrong? : I import the pksc12 certificate from the freeradius server in the windows xp certificate management. When I type certmgr.msc under "run" I can see that the certificate is successfully imported. Then I scan for the wireless networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in testuser as user with the correct password. Here you can see the debug output (freeradius did not find my certificate): That's right, the server didn't get your cert, it's right in the debug. As Alan said this isn't a server issue, it's a client issue, figure out why your client is not returning a cert. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
t;wifix" Aruba-Location-Id = "1.1.1" Message-Authenticator = 0x5350cc86ad25169c3c750d66e27a7a87 +- entering group authorize {...} ++[control] returns notfound [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 8 to 10.65.100.50 port 32791 EAP-Message = 0x0106029e1900aeeae728dc66b68e1d8a309139e376e0f60d810a7505266b4b94988e4b1ceedae8898a667d8f04706261a0e8a08fabe186dde88221a3d58bec54e1ab5e5978bef73257f30637509ea41c24363c7f92d9af8eeb9ad24d11cd27824b1ec1e01f2821054184f28a596d23d14d50a928c180c782919b58273058f6160301018d0c0001890040dd176c46152fe3c986afa59e242da816936065e55afc075caad17d1a554fa9185954096f6eb07311af328409df210464d11d1280d5cb083a2a09de1eca09bc1f000105004055311a5874c6e2b72f961e668c6b3d2d601b9e6c36fa6315071d69e8c5138a3851327f2de71b320c924b04d10069 EAP-Message = 0xc65cb7bcb9c577f35991aa38aa19aa4906c601004d1186b953e90603a1826fd3e48b6dc487d3fd5451923e97dd9dc9e5b4e9485940eb47f64c2d54e2a4998f5b0a56766ee64ce2cc9f677a1e0dec6fa0b990bc6717f48981b2ec4e3b35ef56c29763c5505c9fc1014c31923a439e20a16b49f9812bab931d0eb5f862dd274124d3e067d63fe9303a61a7e37d51d18ed0521b6dbd12184e46ca95f30cefd9f94e29bf2cd28babb6a56f03a111ecfea8eb7b6ebf8ffc55871f3ad45fb5edd5a1cc0c12b9b4223489574cb45f4268662fa805844acf1b080b88760edfa6f1198814ab12a2e87262245ed54b9a634f14743e83aa4edb1219fec8815e9a01ca EAP-Message = 0xf5699d21162364c1ebc9a42d907af3559344c46a17418316030100880d80050304010240007800763074310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267311c301a060355040a13135361757465722d43756d756c757320476d6248311730150603550403130e4d6172636f204b616c6d626163680e00 Message-Authenticator = 0x State = 0x3f25f9043b23e0753b744dff47904da8 Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.65.100.50 port 32791, id=9, length=310 User-Name = "testuser" NAS-IP-Address = 10.65.100.50 NAS-Identifier = "other" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022FB1D434E" Called-Station-Id = "001B2F249FE0" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0206009c1980009216030100070b0300160301004610420040d2f3945de07408d38befe9ee2604880eeff1ed35718731b387080e2941942cbb8fe43238881d111b1a36a020e5c21a5739c9d0a66c3c955cc84baeb3138f2b0914030100010116030100308cf41a7573c4ad40a8161b748b11fa3a9888e0fa13c3d2f41cc6a7703902fa736455ce112c2951d5fe166af5041d8294 State = 0x3f25f9043b23e0753b744dff47904da8 Aruba-Essid-Name = "wifix" Aruba-Location-Id = "1.1.1" Message-Authenticator = 0x0aa542dcaac69b04c228e15d97addc5a +- entering group authorize {...} ++[control] returns notfound [eap] EAP packet type response id 6 length 156 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 146 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0007], Certificate [peap] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 9 to 10.65.100.50 port 32791 EAP-Message = 0x04060004 Message-Authenticator = 0x Waking up in 3.7 seconds. Cleaning up request 0 ID 4 with timestamp +16 Cleaning up request 1 ID 5 with timestamp +16 Waking up in 0.2 seconds. Cleaning up request 2 ID 6 with timestamp +16 Cleaning up
Re: need help - force EAP-TTLS to validate the server certificate
On 16/09/10 14:35, Klaus Laus wrote: ok, this is the debug output: FreeRADIUS Version 2.1.6, for host i686-pc-linux-gnu, built on Oct 27 2009 at 17:05:49 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > I did this, but the clients can login furthermore without any client > certificate for example with PEAP or EAP-TTLS. Here is my users file: Is it that hard to show the debug output? > Here's the eap.conf file Neither the documentation or messages on this list ask for the EAP configuration. > Any idea's what is wrong here? Thanks If you're not going to post the debug output, we have no idea what's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
> Put this into the "users" file: > > DEFAULT EAP-TLS-Require-Client-Cert = yes I did this, but the clients can login furthermore without any client certificate for example with PEAP or EAP-TTLS. Here is my users file: DEFAULT EAP-TLS-Require-Client-Cert = yes testuserCleartext-Password := "xxx" Reply-Message = "Hello, %{User-Name}" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Here's the eap.conf file eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = /etc/ssl cadir = /etc/ssl private_key_password = xx private_key_file = ${certdir}/serverkey.pem certificate_file = ${certdir}/servercert.pem CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random check_crl = no CA_path = /etc/ssl cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } } Any idea's what is wrong here? Thanks Original-Nachricht > Datum: Thu, 16 Sep 2010 09:54:28 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > Thanks a lot Alan DeKok, do I have any possibility to permit login only > persons with username/password and client certificate? > > All authentications methods works fine on my server, but I´ll only > permit login with username/password and client certificate. Which code I need > to set in users/eap.conf ? > > TLS works fine on my server and the users can login themselves with the > client certificate, but I don´t want allow login without > username/password, also I don´t want allow logins with username and password > but without > client certificates. > > Put this into the "users" file: > > DEFAULT EAP-TLS-Require-Client-Cert = yes > > This will require client certificates for *all* EAP methods. If you > want it to be more specific, see "man unlang" for writing general > policies. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > Thanks a lot Alan DeKok, do I have any possibility to permit login only > persons with username/password and client certificate? > All authentications methods works fine on my server, but I´ll only permit > login with username/password and client certificate. Which code I need to set > in users/eap.conf ? > TLS works fine on my server and the users can login themselves with the > client certificate, but I don´t want allow login without username/password, > also I don´t want allow logins with username and password but without client > certificates. Put this into the "users" file: DEFAULT EAP-TLS-Require-Client-Cert = yes This will require client certificates for *all* EAP methods. If you want it to be more specific, see "man unlang" for writing general policies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Thanks a lot Alan DeKok, do I have any possibility to permit login only persons with username/password and client certificate? All authentications methods works fine on my server, but I´ll only permit login with username/password and client certificate. Which code I need to set in users/eap.conf ? TLS works fine on my server and the users can login themselves with the client certificate, but I don´t want allow login without username/password, also I don´t want allow logins with username and password but without client certificates. Best Greetings, misterklaus Original-Nachricht > Datum: Wed, 15 Sep 2010 10:47:52 +0200 > Von: Alan DeKok > An: FreeRadius users mailing list > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > Hello, I have one question, is it possible to configure my freeradius > server so that only clients with a ca certificate can login themselves with > their username and password? I want to configure my freeradius server so > that the users can only login after the successfully server certificate > validation. > > At the moment I use EAP-TTLS for authentication, but the options in the > clients "servercertificate validation" is optional. I want to use EAP-TTLS > and force the ca certificate on the clients. > > You can't force the client to validate the CA cert. That is a > configuration which needs to be set on the client. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: > Hello, I have one question, is it possible to configure my freeradius server > so that only clients with a ca certificate can login themselves with their > username and password? I want to configure my freeradius server so that the > users can only login after the successfully server certificate validation. > At the moment I use EAP-TTLS for authentication, but the options in the > clients "servercertificate validation" is optional. I want to use EAP-TTLS > and force the ca certificate on the clients. You can't force the client to validate the CA cert. That is a configuration which needs to be set on the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html