Radius client can not connected!
Hi all,
Need help.
I'd been doing this for sometimes and can't get it solved.
Client try to communicate with server but just can't get it connected.
here are the message:
Waking up in 4.7 seconds.
User-Name = testing
NAS-IP-Address = 0.0.0.0
Framed-MTU = 1488
Called-Station-Id = 00:30:1a:29:03:66
Calling-Station-Id = 00:1c:f0:10:56:b8
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 127.0.0.1
Connect-Info = CONNECT 11Mbps 802.11b
State = 0x50713d8653743023ce88a0c1a1b930fe
EAP-Message =
0x020505c50d8005bb160301058b0b00037b0003780003753082037130820259a003020102020102300d06092a864886f70d01010405003070310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311730150603550403140e4d6172734e65745f5365727665723120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730383032323630315a170d3131303730383032323630315a306f310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520
EAP-Message =
0x496e632e311730150603550403140e4d6172734e65745f436c69656e74311f301d06092a864886f70d010901161075736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d9c82149515d4198e7647e1dd2fdaba3dd274d89fe59259ea656b5550118896812a05a0bad9307dda14f88582a1cfd1b8f475aabfc4e7ee2618d195fdb4fed673093982696a14d7a929c8590bfb32a930ee363d15a2ddadaf398d497527addbb88562c48803840ac7ab5cfd47709718078cee8489a415783ff1149bd2d8c4abd5ed1c83811392890b60e65dcfe3fae892d4ab0e3f98506387d47094656bb
EAP-Message =
0xc7b5fdebc4b342b797d0dcc7a3fdd68cfa52490ec10a1e4a5d9cc82decc3f7340611755269c937f882478b6a875c460ea997351f33291f4f94bc7661b7f76a5457479f72639fc9acf815aa5ed438309a1695ffe34f1f967ad8f0b63d2e72f71240050203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101008cb12a5b0e048b822dd0e435fdb3c808a183a2bfe5b8970d24c8d7d8de6183ac6bd0978accaa284093f927e49b512056fd5850cd2211016f0d68099bc90a2bf2fb93ab3f6a2552fe2b094ffb8830aabe7d00871f1f8b882d3bfec10f73a7af1688a51a2e915597276d
EAP-Message =
0x0e2c716dbd340dba22124f473ea8396e799c6de451101cb64cc0e8913535dc79d23e6194878814e7d6baa7a1ba616947cfe5d368a83f5db7e71e95e9b90f189033e9851b1d8419c4ab78b988ca9c4ff1163ed3e390e486bfc803e176cb108e7c31b51c5b618e644a046f7a60f232b0d57c47f1626a96115e83d457a3ad661c064986ebdd3629ef50b6a0d67e7b923d4a0d288b3652d98e110201003c14f10ae05a07ca00d74116971fd5d146e8640db1f58ebebf6e49c7cd8dabe98da7b6461af55c77e5fbde2336eb2914ceb3a6e09cdb6a46989cd9e22983bc672387ff0483700a70e396a9f844edd9ac4bb95c4b2a3bc45755d9408e41b37034
EAP-Message =
0x32c84f5b11d84870904e298defb383734235d6f67c9d9c0dfe20ed207fa3fe539571566103e2f55ee41cd3c7d6d9019f224594853387f67ccf453aa85ead173fa5059922888c7de3a689745cdc800423fc43522a91ee235704264a60eec90c62d01fde3cdda4f81666c26f8681c08b4a18b447d9971270ce92391e5c54f2537b3f7ff791fe7863daa40f6e0e244a02dab97755b4de554a21973a34dab24815ae0f00010201001b8569aff3bd371c1c7d782df9db0e00468d7806f2b5307f49dd2d4c5507aec96fe0db1fa401a613e021eec225eedf95303d1b2af768c011541086e89933d72b07d56d5a588e96d79906e1672e016fd5694fe694990ded
EAP-Message =
0x9dc92e8f839a0e40cc7a7563476be125135d91d45ed4b5c978273b5e1d0e30cb655d8d1a011fe0d7c93e21603ee63e618566dbf126d95e68f8bf1e2bfbf8145a3894ddeb74923d45fbac9fdbde4cd7bf070931c74a4a7d3153a4e5de2d74c4f6f6191e639f57d2d18a256f240726a7b3100fec13048cddc9a99f594c82742aeb918959fe193bd1cb691a81fbf413aaba7e57cca12151350d96dc18a4b0af99d63cb68c1a5214a087a21403010001011603010020251f2329bd8931db05f4268228c4258ec07f3d2bb9281b1b83b584b08b75214d
Message-Authenticator = 0xd97d042e7cb701a8720f28f6c5f1292b
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testing at line 91
expand: Hello, %{User-Name} - Hello, testing
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 1467
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: TLS 1.0 Handshake [length 037f], Certificate
-- verify error:num=20:unable to get local issuer certificate
rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read
Radius
Hi Ivan, Here I want to ask for your advise. I have a server with two ethernets connection. Internet --- [eth1] (DNS, DHCP server, Radius Server) Red Hat [eth0] - Wifi (Client) If I plugin XP to eth0 (network line), the server will assign an IP address to that computer and immediately able to connect to internet (iptables redirect traffic to eth1). then I try to authenticate the wifi client I wonder why the NAS-IP-Address always show 0.0.0.0 but when I run radtest on terminal server it shows IP address.. # radtest MarsNet 000 localhost 0 testing123 User-Name = MarsNet User-Password = 000 NAS-IP-Address = 192.168.1.10 ( server IP address) NAS-Port = 0 # I guess this might be the problem causing the client fail to connect to server. (Client never connected but instead showing acquiring network address) Further for testing purpose if I want to switch the incoming authentication through eth1, which ports shall I open? In previous email you were mention about client attribute fail. How to fix it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS
Thanks for the tips. If the certificates are fine then the only problem here is the radius server. XP can not authenticate the client can't get connected. here the output Ready to process requests. User-Name = MarsNet_Client NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02020013014d6172734e65745f436c69656e74 Message-Authenticator = 0x00ebc8fcffd2c906e2d36ec4fff17d3a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = MarsNet_Client, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7382effe7381e2540240fd45d4418b28 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 1 with timestamp +930 Ready to process requests. User-Name = MarsNet_Client NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02010013014d6172734e65745f436c69656e74 Message-Authenticator = 0xd79261edb8c5b177b0b6334837684449 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = MarsNet_Client, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xae557800ae5775e5b09645c04263a306 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +950 Ready to process requests. --- On Mon, 7/7/08, Ivan Kalik [EMAIL PROTECTED] wrote: From: Ivan Kalik [EMAIL PROTECTED] Subject: Re: Private key To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, July 7, 2008, 10:38 PM Why do you care if Windows does not have enough information to verify this certificate? Does radius server have any problems with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Private key
Hi, Need Help!! I had generated from the server CA.der, client.p12 and server.p12. CA.der installed in XP Prof and work fine but client.p12 got problem Windows does not have enough information to verify this certificate. You have a private key thas corresponds to this certificate. should I install server.p12 as well? Can anyone give me a hand to solve this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Error!
organizationName = Example Inc. emailAddress = [EMAIL PROTECTED] commonName = MarsNet_CA Where should I change? --- On Wed, 6/11/08, Ivan Kalik [EMAIL PROTECTED] wrote: From: Ivan Kalik [EMAIL PROTECTED] Subject: Re: Certificate Error! To: freeradius-users@lists.freeradius.org Date: Wednesday, June 11, 2008, 11:42 PM Issuer: ..., MarNet Subject: ..., MarsNet Check certificate details. It seems that there are some typing errors there. Ivan Kalik Kalik Informatika ISP Dana 11/6/2008, Kwok Sianbin [EMAIL PROTECTED] piše: Hi Ivan, The date shows in Client Cert as word format and dates are correct. Here I attach Cert details tab. Root certificate is fine.. both client and root certificates were generated at the same time. Afterward I tried to connect but connection failed. --- On Tue, 6/10/08, Ivan Kalik [EMAIL PROTECTED] wrote: From: Ivan Kalik [EMAIL PROTECTED] Subject: Re: Certificate Error! To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, June 10, 2008, 4:59 PM What is the system date format on that XP: day/month/year or month/day/year? Click on the certificate details tab. Are dates printed as words or numbers? Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, Kwok Sianbin [EMAIL PROTECTED] piše: Hi Ivan, The dates are ok (up-to-date). Here I attach the certificate - Original Message From: Ivan Kalik [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, June 10, 2008 12:00:33 AM Subject: Re: Certificate Error! and then copy ca.der, client.p12 then I install the certificate into Windows XP. When click the client certificate and it shows Windows doesn't have enough information to verify this certificate Server cert in Trusted Root Cert This certificate has expired or is not yet valid. And below there is a line Valid from ... to ... - what are the dates? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Error!
Hi, Can anyone here help me to fix the error below: I run instruction in README such make ca.pem make ca.der make server.pem make server.csr make client.pem and then copy ca.der, client.p12 then I install the certificate into Windows XP. When click the client certificate and it shows Windows doesn't have enough information to verify this certificate Server cert in Trusted Root Cert This certificate has expired or is not yet valid. here the ca.cnf [ ca ] default_canbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = CA_default [ CA_default ] dirnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = ./ certsnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir crl_dirnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir/crl databasenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir/index.txt new_certs_dirnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir certificatenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir/ca.pem serialnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir/serial crlnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir/crl.pem private_keynbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir/ca.key RANDFILEnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = $dir/.rand name_optnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = ca_default cert_optnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = ca_default default_daysnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = 1095 default_crl_daysnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = 365 default_mdnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = md5 preservenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = no policynbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = policy_match [ policy_match ] countryNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = match stateOrProvinceNamenbsp;nbsp;nbsp;nbsp; = match organizationNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = match organizationalUnitNamenbsp; = optional commonNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = supplied emailAddressnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = optional [ policy_anything ] countryNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = optional stateOrProvinceNamenbsp;nbsp;nbsp;nbsp; = optional localityNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = optional organizationNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = optional organizationalUnitNamenbsp; = optional commonNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = supplied emailAddressnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = optional [ req ] promptnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = no distinguished_namenbsp;nbsp;nbsp;nbsp;nbsp; = certificate_authority default_bitsnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = 2048 input_passwordnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = 123 output_passwordnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = 123 x509_extensionsnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = v3_ca [certificate_authority] countryNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = FR stateOrProvinceNamenbsp;nbsp;nbsp;nbsp; = Radius localityNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = Somewhere organizationNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = Example Inc. emailAddressnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = [EMAIL PROTECTED] commonNamenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = Certificate Authority [v3_ca] subjectKeyIdentifiernbsp;nbsp;nbsp; = hash authorityKeyIdentifiernbsp; = keyid:always,issuer:always basicConstraintsnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; = CA:true The only thing I'd changed the ca.cnf, client.cnf, server.cnf were default_days and default_crl_days. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client Certificate!
Hi Alan, As you previous email mention, I need to run the server script. Do you mean the script in the README file that come with Freeradius (/raddb/scripts). # make server.pem # make server.csr I just started to use the Linux hence I am not quite familiar with it. - Original Message From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, May 24, 2008 2:00:22 PM Subject: Re: Re : EAP-TTLS w/MS-CHAPv2 Kwok Sianbin wrote: ... #radtest MarsNet Mars123 localhost 0 testing123 User-Name = MarsNet ... if I change the configuration in radiusd.conf to bind to particular IP address (eth0) then about radtest failed to Accept. Because you're sending packets to localhost? Do you know what different network interfaces are? ... ++[eap] returns handled Reply-Message = Hello, MarsNet EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x58961ab6589417883d2fb3d577435665 Finished request 2. Going to the next request Waking up in 4.9 seconds. This is in the FAQ. You are using a Microsoft client, and the server certificate doesn't have the correct OID's. Use the certificate generation scripts that come with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsof Client Certificate (OID)
Hi Alan, certificate generation scripts already executed. Is this what you meant. # make server.pem # make server.csr Kindly advice how to do it! Alan DeKok [EMAIL PROTECTED] wrote: Kwok Sianbin wrote: ... #radtest MarsNet Mars123 localhost 0 testing123 User-Name = MarsNet ... if I change the configuration in radiusd.conf to bind to particular IP address (eth0) then about radtest failed to Accept. Because you're sending packets to localhost? Do you know what different network interfaces are? ... ++[eap] returns handled Reply-Message = Hello, MarsNet EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x58961ab6589417883d2fb3d577435665 Finished request 2. Going to the next request Waking up in 4.9 seconds. This is in the FAQ. You are using a Microsoft client, and the server certificate doesn't have the correct OID's. Use the certificate generation scripts that come with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP-TTLS w/MS-CHAPv2
Hi Alan,
Please help..Here I have problem that I can't figure out what went wrong!
#radtest MarsNet Mars123 localhost 0 testing123
User-Name = MarsNet
User-Password = Mars123
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
Reply-Message = Hello, MarsNet
if I change the configuration in radiusd.conf to bind to particular IP address
(eth0) then about radtest failed to Accept.
My server configured with DNS / DHCP / iptable firewall (Internet) (eth1) and
eth0 connect to Wifi - D-Link client.
# /usr/local/radiusd -X
bash: /usr/local/radiusd: No such file or directory
[EMAIL PROTECTED] saman]# /usr/local/sbin/radiusd -X
FreeRADIUS Version 2.0.4, for host i686-pc-linux-gnu, built on May 15 2008 at
21 :44:23
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 192.168.0.206 {
require_message_authenticator = no
secret = testing123-1
shortname = smartbridge
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp =
Client can't connect Acquiring Network address
= 0x03131e4d617273696e646f20436572746966696361746520417574686f72697479301e170d3038303532303034333135355a170d3039303532303034333135355a3076310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311d301b060355040313144d617273696e646f2053657276657220436572743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bca7c767561f951c18502242b005f2d0727dc1affd01c9b29918bbd3af268c095b091c EAP-Message = 0xc62304d82d388c4380d586d49eab42a7f82f4b9b86bdb1d5b0889644476f901a737c94349781c611d7d2da2ffbe8de5fa4534c28a4dffb2fbf805a6c9dff87227d8a0fab4dea651fc4223748b75d302ee960e8beda05996d8b2342b841770b030bef53297a177f431184747aa3bdc11f49750b8c603cb589c13583904a9ba6ef6560df8519d5a2dbeb7fe33c8a0ac801bb3e1f68d510b0c82312bd7fcb8d50c6286f3f7a45079625c0b4f9912cc83664227c5d418c10006a230c66172677d3bb4091370b0b871bda07bec0a82ee8f1377d3a8fadf0398f35beea0d89f70203010001a317301530130603551d25040c300a06082b06010505070301300d EAP-Message = 0x06092a864886f70d010104050003820101004fbfef54576f9aac86015d57964cc2def331a16bf997b2b983ec834fb72f42e43b335bf1ad890123b205fac6a64bc0f824f34806cab4532dc9d48c1f827fc8050d3fe13af9df766b71ba58c515eaef089cfc685c5399371f1ef8f123cee3990828942848c20c60c6ab0ef93ba786b829816f24183e53aefeeea6fd11061a320fc0fe871220ad9f403497754f7187b2fe58dbf420af6cbf62297119bf1724539671bd8015dc1cc3a7c55b69cd63a4a2c35d523463ac9f44338f049b9d3b10c330b7d2dc183a1565cba70bb125c57ffdeed44785e3f36d404a094df74380dc1133d675c9aa87a6fd41e8e79f EAP-Message = 0x93bd38749f3d952fe10c35a8 Message-Authenticator = 0x State = 0x13382f46123b22a47c694fefa3fc3d08 Finished request 1. Going to the next request Kwok Sianbin [EMAIL PROTECTED] wrote: Hi All, I have problem generating client certificate for Windows Xp. # make client.pem openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key ...+++ ...+++ writing new private key to 'client.key' - openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key `grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf unable to load certificate 4773:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE make: *** [client.crt] Error 1 I looked in client.cnf and I could not figure out where got wrong! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error while try to generate certificate!
Hi All, I have problem generating client certificate for Windows Xp. # make client.pem openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key ...+++ ...+++ writing new private key to 'client.key' - openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key `grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf unable to load certificate 4773:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE make: *** [client.crt] Error 1 I looked in client.cnf and I could not figure out where got wrong! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius documentation: Auth-Type
Hi,
Sorry for my English.
After make some changes in the client.cnf
the #make client.pem can't be run.
Now the # radiusd -X also got problem.
.
.
.
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /usr/local/etc/raddb/certs/server.pem
certificate_file = /usr/local/etc/raddb/certs/server.pem
CA_file = /usr/local/etc/raddb/certs/ca.pem
private_key_password = Mars123
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /usr/local/etc/raddb/certs/bootstrap
}
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading certificate file
/usr/local/etc/raddb/certs/server.pe m
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap
/usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module
eap .
/usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing
authenticat e section.
}
}
Errors initializing modules
Plz anyone can help!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error binding to port for 0.0.0.0 port 1812
Hi Alan,
I've installed FreeRadius-2.0.4 and I got some error saying
ERROR: Failed to open socket:
/usr/local/etc/raddb/radiusd.conf[210]: Error binding to port for 0.0.0.0 port
1812
but when I check in radiusd.conf
ipaddr= *
# interface = eth0
How can I fix this error?
I have 2 ethernet cards, eth1 = 192.168.1.10 (DNS iptables), eth0 =
192.168.0.10 (Wifi)
Here a few thing that I'd edited:
(uncomment)
clients.conf
client 192.168.0.0/24
secret = testing123-1
shortname = private-network-1
users
add
MarsindNetClearText-Password:= testing123
Reply-Message := Hello, %{User-Name}
eap.conf
eap {
default_eap_type = tls
}
tls {
.
fragment_size= 1024
include_length = yes
}
Next step I want to test Windows XP client but I couldn't find
root.der cert-clt.p12 as previous version have.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS cert
Hi,
I've installed FreeRadius-2.0.4 and run fine.
Here a few thing I had editted.
Clients.conf
client 192.168.0.0/24 {
secret= testing123-1
shortname= private-network-1
}
eap {
default_eap_type= tls
}
tls {
fragment_size=1024
include_lenght= yes
}
users
MarsindNetCleartext_Password:= hello
Reply-Message = Hello, %{User-Name}
Now..I want to test connecting with Windows XP but I could not find
root.der or cert-clt.p12 like previous version has.
What files should I copy and install into Windows XP as client certificate?
Thanks in advance.
Alan DeKok [EMAIL PROTECTED] wrote: Kwok Sianbin wrote:
I am newbie to linux and recently I try to implement wireless
connnection with EAP-TLS encryption. I am using Freeradius-1.1.7
installed into Red Hat Enterprise 4.
You should really use 2.0.4.
Here I encounter problems that I can't solve it alone hence I need
advice guru from this forum.
the problem is client just can't get connected and keep request.
...
Sending Access-Challenge of id 15 to 192.168.0.206 port 1025
...
Going to the next request
Waking up in 6 seconds...
This is in the FAQ. It's also documented in the eap.conf file in 2.0.4.
Here I post the CA.certs execution result as I suppect that the errors
might be due to certificate error.
When I run ./CA.certs and I got a few errors.
2.0.4 also contains new scripts for certificate creation. They're
MUCH better than what's in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
uninstall freeradius
Hi, Thanks for keep assisting me. Right now I want to remove the freeradius from the server and re-intall version 2.0.4. For freeradius-2.0.2 and 2.05, I use CVS command to install it as mention in my previous email. So if I want to remove it by using what command? and for freeradius-1.1.7..I installed by downloaded the file freeradius-1.1.7.tar.bz2 from freeradius.org. I want to uninstall it also! Thanks in advance! - Original Message From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, May 13, 2008 11:58:40 PM Subject: Re: EAP-TLS can't get connected..etc. Hi, I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested I browse www.freeradius.org and run below command. #cvs -d :pserver:[EMAIL PROTECTED]:/source login CVS password: anoncvs nothing happen and return to # 'nothing' should happen as all you've done is log into a CVS session #cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd this will download the latest CVS version - '2.0.5' from the main site into a directory called 'radiusd' - which will be put into whereever you were when you ran the command compile problems could be due to having the latest CVS code which might have a problem in it at any time. was there a specific reason not to use eg 2.0.4.tar.bz2 download from the freeradius.org site? I checked the version in /usr/share/doc/radius/VERSION and it shows 2.0.2 (installed before) Have I installed freeradius-2.0.4? not from what i've seen you type. what does eg 'radiusd -v' tell you? If I want to uninstall or remove previous version such Freeradius-1.1.7 ..what command I should run or just simply delete the folder in Freeradius? how did you install it? from RPM or APT etc? or from source? if from source, you will need to look in the binary and library directories for all the files it will have installed...usually /location/to/bin/rad* /location/to/lib/rlm_* /local/to/lib/radius* and then a whole load of things in /usr/share/radius etc etc (just do eg 'make -n install' to see what it puts where. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS can't get connected..etc.
Hi Everyone, I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested I browse www.freeradius.org and run below command. #cvs -d :pserver:[EMAIL PROTECTED]:/source login CVS password: anoncvs nothing happen and return to # #cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd then under #/usr/share/doc/radiusd ..run #./configure --with-openssl-includes=/usr/include/openssl --with-openssl-libraries=/usr/lib/libxm --with-prefix=/usr/local/radius # make #make install got some errors btool: install: error: cannot install rlm_acctlog.la to a directory not ending in /usr/local/lib/lib gmake[6]: *** [install] Error1 gmake[6]: Leaving dictory '/usr/share/doc/radiusd/src/modules/rlm_acctog' gmake[5]: *** Error 2 gmake[5]: Leaving directory '/usr/share/doc/radiusd/src/modules' gmake[4]: *** Error 2 gmake[4]: Leaving directory '/usr/share/doc/radiusd/src/modules' gmake[3]: *** Error 2 gmake[3]: Leaving directory '/usr/share/doc/radiusd/src' gmake[2]: *** Error 2 gmake[2]: Leaving directory '/usr/share/doc/radiusd/src' gmake[1]: *** Error 2 gmake[1]: Leaving directory '/usr/share/doc/radiusd' make: *** [install] Error 2 I checked the version in /usr/share/doc/radius/VERSION and it shows 2.0.2 (installed before) Have I installed freeradius-2.0.4? where it's located? If I want to uninstall or remove previous version such Freeradius-1.1.7 ..what command I should run or just simply delete the folder in Freeradius? thanks in advance. - Original Message From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, May 9, 2008 7:50:34 PM Subject: Re: EAP-TLS can't get connected..etc. Kwok Sianbin wrote: I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4. You should really use 2.0.4. Here I encounter problems that I can't solve it alone hence I need advice guru from this forum. the problem is client just can't get connected and keep request. ... Sending Access-Challenge of id 15 to 192.168.0.206 port 1025 ... Going to the next request Waking up in 6 seconds... This is in the FAQ. It's also documented in the eap.conf file in 2.0.4. Here I post the CA.certs execution result as I suppect that the errors might be due to certificate error. When I run ./CA.certs and I got a few errors. 2.0.4 also contains new scripts for certificate creation. They're MUCH better than what's in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS can't get connected..etc.
Hi Everyone, I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4. Here I encounter problems that I can't solve it alone hence I need advice guru from this forum. the problem is client just can't get connected and keep request. /usr/src/sbin/radiusd -XA Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module:
