RE: H323-ivr-out sending extra attribute from Cisco TCL to radius
hi abdul what are you doing with Cisco and Radius. if possible we can both help each other and work together. so tell me what is the problem. -- View this message in context: http://www.nabble.com/H323-ivr-out+sending+extra+attribute+from+Cisco+TCL+to+radius-t1650464.html#a4480780 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside
Hi, first i wanna say thanks to all here fort he great helping setting up my radius as an part of my work at my Engineers-Exam work. Yesterday I finished my work and found my 2 Mistakes why computer authentication didnt wor properly at my network and now I wanna share this for you all here,knowing some of you are having still the same problems: First only the problem with machine authentication and after I passed my exams at 15.Juli I will post here an link to my whole Dokumentation describing how to set up my whole project including the following: An CA created with TinnyCA as frontend for openssl, freeradius @debian stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules, VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing firstly an Machine Authentication(*tricky but possible*) pulled into and basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and VLAN, then Users can log onto the domain, getting their final User-Certifikate, thrown into their final working vlan and getting the final Subnet from the DHCP. This workes now great put firstly only the main problem, the machine certificates. What you hav e to do if you create it with TinyCA to get working Certifikates for machine Authentication in a short sequenze and where are the problems I figured out. OK setting up TinyCA is easy and the binding to freeradius is describeld here a lot. The final Steps are the following especially for Windows: Under Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 at the ServerCertifikate into ExtendedKey usage, and the 1.3.6.1.5.5.7.3.2 into Client Certifikate Extended Key Usage. This is basically and essential for successful authentication but not all. For machine authentication create an client Certifikate and now the real important things. 1. The CN Name has to match with the local Computer name only or as an full qualified name of the computer,both is possible. 2. The Email field MUST Be filled in the full qualified Computer name like workstatio1.exampledomain.de This entry is important for machine authentication because Windows XP searches for the field subjectAltName to find the certificate in the computer store. If this issent present authentication failes first time and after the internal counter of xp expire the second autjentication is successful(why??) But ok, add this and all is fine. In the openssl.cnf of TinnyCA you can see that the Email field is copied to the field subjectAltName. I will write a letter to the developer of TinnyCA if he could make a separate field for this Export the certificate as PKS12 an check include certificate and fingerprint (if fingerprint is important I will figure out later and tell you,havent found time checking this) but the Key must be included. And the last thing is that you have to import the computercertifikate not per doubleclick (In this case the certificated is stored at the CurrentUser Store and you have to copy it over mmc to the computer store, but this doesnt work, the certificate isnt correctly found if you do this that way!) Best ist to open mmc,doing a snap in of LocalComputer and the go to Eigene Certifikate, right click onto it,All Tasks,import then import the certificate and now you have the ca.certifikate and your computer certificate in the Store, now you have finaly to move the ca Certifikate into the root CertifikateStore under your ComputerAccountStore. Thats all at the mmc. Then go to the preferences of your network connection, Authentifikation tab, EAP-Tpye Propperties and at the list you have to check Check Servercertifikate uncheck Connect to this Server(this is optional) and at the list check your CA. If you also have a User Certifikate installed you will find there your CA 2 times. It is not important which you select, one should be enough. Finaly I can say what was here discussed you dont have to set another OID which is discussed here at one thread and you only have to change your registry if you have special requiremens to the authentication behaviors. The Basic setting of registry seams to be enough. I added the SupplicantMode DWORD with a value of 3 but this only seams to get start authentication faster than without but is not essential for basic setup. OK this is only an small dirty description for the first time, a better one will follow soon. But I thought many of you struggling over this and it would be good posting this fast. Sorry for typing mistakes, may someone will correct this :-) @Alan: Is their an interest posting my doku to the wiki, I can send the final document to you! Greetings and good luck Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside
-Ursprüngliche Nachricht- Von: Krämer Armin [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 20. Mai 2006 12:04 An: '[EMAIL PROTECTED]' Betreff: AW: EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside Hi, i read your artikel at this magazine and it was quiete helpful, the only thing didnt working was machine certificate but like I described at my last post the only thing I struggled was XP Clients needing the full DN at this place I described and the CN as Computername and how to import them correctly. The ldap setup of you were really helpful. Thanks to you. Greetings from Baden Würtemberg Armin -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 20. Mai 2006 09:23 An: Krämer Armin Betreff: Re: EAP TLS Computer Authentication XP the final Solution *working great after a hard fight* Solution inside Am Samstag, 20. Mai 2006 09:01 schrieb Krämer Armin: Hi, (...) An CA created with TinnyCA as frontend for openssl, freeradius @debian stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules, VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing firstly an Machine Authentication(*tricky but possible*) pulled into and basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and VLAN, then Users can log onto the domain, getting their final User-Certifikate, thrown into their final working vlan and getting the final Subnet from the DHCP. This workes now great put firstly only the main problem, the machine certificates. Hi, I did this setup (LDAP, VLAN, Certs, ...) and wrote an article in the German Linux Magazin 01/05. All problems you list are more or less described there. Sorry, that I did not read the beginning of this discussion. So I could have helped you before. Greetings from Munich, Michael Schwartzkopff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting Freeradius to recorde login failure, etc
Christopher Carver wrote: If someone can point me to the right direction, I would be very appreciative. Perhaps I could even explore it to its fullest and submit some documentation to the developers to include with the software to make things a bit more clear. What exactly is unclear in the documentation? There is already an entry How do I log failed login attempts in a SQL database? in the FAQ. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: H323-ivr-out sending extra attribute from Cisco TCL to radius
Hi, We are trying to route H323 calls based on the number prefixes. The idea is to have the GW/GK do a database lookup of the called number, if number is found it should be routed to a particular gateway for termination, if not it should be routed to a GK. This GK will now send back an LCF and the call will now be routed to the terminating GW based on the prefix. The call flow is below: i GW/GK A received 447931800952, the GW will consult a .dbf kept in memory to see if the numbers is present in the database. All numbers are kept with a network prefix; i.e. UK Mobile o2 will be 23410447931800952. ii If the number 447931800952 is present in the .dbf, i.e. .447931800952, the GW/GK will now forward the call to terminating GW(s) with the dial-peer 23410. iii If the number is not present, the call will now be forwarded to another GK, this GK will now return an LCF, i.e. 23410447931800952. iv The GW/GK A will now route this number based on the prefix 23410, while at the same time inserting the LCF 23410447931800952 into the .dbf datafile. The Borland dbf datafile is what we are starting out with and this can be changed to any data format. I look forward to hearing from you. Best regards, Abdul Hakeem -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vignesh_b Sent: 20 May 2006 07:06 To: freeradius-users@lists.freeradius.org Subject: RE: H323-ivr-out sending extra attribute from Cisco TCL to radius hi abdul what are you doing with Cisco and Radius. if possible we can both help each other and work together. so tell me what is the problem. -- View this message in context: http://www.nabble.com/H323-ivr-out+sending+extra+attribute+from+Cisco+TCL+to +radius-t1650464.html#a4480780 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html