Re: EAP-TLS certificate problem

[Phil Mayers]

On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send Access-Accept packet, but at client, following
error occurs.
 No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[Phil Mayers]

On 19/02/13 14:16, Muhammad Nadeem wrote:


[eap] EAP NAK
[eap] NAK asked for bad type 0


You've mis-configured the client. Go back and look at it again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[John Dennis]

On 02/19/2013 09:16 AM, Muhammad Nadeem wrote:

On 2/19/13, Phil Mayers p.may...@imperial.ac.uk wrote:

On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send Access-Accept packet, but at client, following
error occurs.
 No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator -
dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.


Doesn't look like you actually heeded this advice does it? Hint, look at 
your select statement. You're setting the Auth-Type.



Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
[sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID - SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table



Found Auth-Type = Accept
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '001AAD3F8165'


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[Alan DeKok]

Muhammad Nadeem wrote:
 I suucceed to authenticate the users from a database.
 But when i setup the same setup on another machine, I was failed :(
 The following output is the debug output of the freeradius server. (I
 think EAP NAK,, is creating problems).

  Yes.  Read the debug output.

 [eap] EAP NAK
 [eap] NAK asked for bad type 0
 [eap] Failed in EAP select

  The client is broken.

  Don't blame FreeRADIUS.  Go fix the client.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html