I'm sorry, I don't have time right now to help you, but you are on the
right track. Windows has a feature Machine Authentication where the
station authenticates (using the $hostname and a secret credential
created at domain join) with a Domain controller before the user login.
On an
On 11/10/12 12:43, Alexandros Gougousoudis wrote:
Hi,
we're using FR 2.0 for our machine authentication for XP to Win7 with
EAP-TLS. Everything is working so far, but I noticed a difference
between authenticating via WLAN and LAN, which starts to be a problem
for us now. If I make a auth via
Alexandros Gougousoudis wrote:
That's not clear. Why would that break EAP if the workstations are
sending a different Login?
You said you wanted to add a string to hostname. Don't do that.
Editing it in FreeRADIUS will break things.
It already does, depending on LAN or WLAN
Logins. I
=tirol.gv...@lists.freeradius.org
[mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org]
Im Auftrag von PENZ Robert
Gesendet: Dienstag, 7. August 2012 13:22
An: FreeRadius users mailing list
Betreff: AW: Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP
The problem now
Am 06.08.2012 09:39, schrieb Alan DeKok:
Klaus Klein wrote:
Am 04.08.2012 18:51, schrieb Alan DeKok:
I'm stating my opinion outright. If you think I'm implying
something, you're misreading it.
Now that's a nice twist.
I guess this is the sentence which offended you:
The final (first)
Klaus Klein wrote:
With that experience I would have expected some more seniority and not
being offended by the word 'should'.
It seems you misunderstood me. That's not a surprise.
My 13+ years of experience show that certain statements are made ONLY
by people who are trying to be
for
unsupported type PEAP).
Either configure PEAP, or fix the client to stop asking for PEAP.
trying ... ;-)
In the 2/3 of the cases it works the Client does not send a NAK, so I
believe it is a client problem but it’s Windows 7 … there must be
thousands of installs with Windows 7 and 802.1x EAP
Klaus Klein wrote:
Am 04.08.2012 18:51, schrieb Alan DeKok:
Implying that FreeRADIUS doesn't protect access is rude.
Don't you think you're jumping the gun a bit?
No.
Where did you get this from, why are you implying something like this
and how rude is that?
I'm stating my opinion
Hi!
I've a problem with 802.1x and EAP-TLS where I'm not quite sure who is
responsible for this problem and how to work around it. I hope someone can help
me - I couldn't find anything with Google and I just can't believe I'm the
first guy with this problem. The setup is following
asked for
unsupported type PEAP).
Either configure PEAP, or fix the client to stop asking for PEAP.
In the 2/3 of the cases it works the Client does not send a NAK, so I
believe it is a client problem but it’s Windows 7 … there must be
thousands of installs with Windows 7 and 802.1x EAP/TLS
*sigh*
Don't use this configuration with wired 802.1X. As the user's identity is not
protected within the tunnel, someone sitting between your machine and the
switch could easily switch out identities at the start of 802.1X auth, and use
it of a way of performing privilege escalation.
Hm, you
Am 05.08.2012 10:28, schrieb Arran Cudbard-Bell:
Don't use this configuration with wired 802.1X. As the user's identity is not
protected within the tunnel, someone sitting between your machine and the
switch could easily switch out identities at the start of 802.1X auth, and use
it of a way
Am 04.08.2012 03:15, schrieb Alan DeKok:
Klaus Klein wrote:
Which uses certificates for authentication.
Correct.
Thanks for the vote of confidence.
You're welcome. :)
The point of my comment was that it DOESNT use names passwords for
authentication.
I did understand this part.
On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
Therefore I'm a bit puzzled that if no matching entry in users
is found that the authentication still takes place.
Try one of:
a) move files above eap in sites-enabled/default. This will mean
that the eap short-circuit won't skip
On 4 Aug 2012, at 11:57, Matthew Newton m...@leicester.ac.uk wrote:
On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
Therefore I'm a bit puzzled that if no matching entry in users
is found that the authentication still takes place.
authorize {
files
if
Am 04.08.2012 12:57, schrieb Matthew Newton:
On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
Therefore I'm a bit puzzled that if no matching entry in users
is found that the authentication still takes place.
Try one of:
a) move files above eap in sites-enabled/default. This
Sorry, I just reread your email.
Am 04.08.2012 12:57, schrieb Matthew Newton:
a) move files above eap in sites-enabled/default. This will mean
that the eap short-circuit won't skip files.
I don't think that files is skipped after EAP-TLS authorization.
If the User-Name, which is provided
Am 04.08.2012 16:01, schrieb Arran Cudbard-Bell:
On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
Therefore I'm a bit puzzled that if no matching entry in users
is found that the authentication still takes place.
authorize {
files
if (notfound || noop) {
Klaus Klein wrote:
Also
... an authorization module searches a database ...
(/etc/freeradius/users ?)
--- if none of database records for this User-Name matches ...
authorization will fail.
Therefore I'm a bit puzzled that if no matching entry in users is found
that the authentication
EAP-TLS. EAP-TLS means allow anyone who
has a signed client cert. You signed a client cert, and gave it to a
client. You were told this is how EAP-TLS works.
You only have yourself to blame.
I already explained how the server worked. Rather than believe it,
you argue, and start insulting us
would believe that FreeRADIUS isn't protecting access ?
You were the one who set up EAP-TLS. EAP-TLS means allow anyone who
has a signed client cert. You signed a client cert, and gave it to a
client. You were told this is how EAP-TLS works.
I think I have a fair understanding how EAP-TLS
Hi Folks,
I'm working on securing the access to a WLAN network with WPA2-Enterprise,
EAP-TLS and a FreeRADIUS server.
Everything seemed to work as expected until realized that a client will be authenticated
(by eap) even if the user(name), provided with the mandatory identifier entry
Klaus Klein wrote:
I'm working on securing the access to a WLAN network with
WPA2-Enterprise, EAP-TLS and a FreeRADIUS server.
Which uses certificates for authentication.
Everything seemed to work as expected until realized that a client will
be authenticated (by eap) even if the user
Am 03.08.2012 22:06, schrieb Alan DeKok:
Klaus Klein wrote:
I'm working on securing the access to a WLAN network with
WPA2-Enterprise, EAP-TLS and a FreeRADIUS server.
Which uses certificates for authentication.
Correct.
Everything seemed to work as expected until realized
Klaus Klein wrote:
Which uses certificates for authentication.
Correct.
Thanks for the vote of confidence.
The point of my comment was that it DOESNT use names passwords for
authentication.
Is it then correct that the 'check_cert_cn' option in eap.conf is the
only way to prevent
The following questions about changing default_md and default_eap_type
is solely for the matter that I should have RADIUS work on some
Linux-machines and some Windows-machines all of them hopefully with TLS
client sertificates mainly.
There are some diversities as to MD5 and post SP1 WinXP:
Hello,
the MD5 that is used in EAP-MD5 (configured in eap.conf) and the MD5
that is used as a message digest in certificate generation (configured
in the .cnf files you mentioned) have *nothing* to do with each other.
I.e. you can change one without side-effects on the other.
Since there is no
-users@lists.freeradius.org
主题: EAP-TLS used to be working, replaced Wifi AP, reimported backed-up
config, EAP-TLS not working anymore
Dear list members,
Before writing this email, I spent hours in debug and reading ML and howto.
The configuration I'm trying to debug was working a couple of weeks
Alan,Thank you for your answer.I know you must be right, but I still didn't manage to have it working again.I'm still getting troubles with TLS exchanges and don't know enough of it to be able to debug it.I read tons of threads where Alan DeKok kept repeating to read his website, as well as using
, fragmentation should be ok.
There's an EAP-TLS Howtow on the main freeradius site. It's also
pointed to from the wiki. Follow it, and it *will* work.
I completely started the AP's configuration again, from factory
defaults, not using the backup, only setting the strict minimum
(WPA2-Enterprise
, fragmentation should be ok.
There's an EAP-TLS Howtow on the main freeradius site. It's also
pointed to from the wiki. Follow it, and it *will* work.
I completely started the AP's configuration again, from factory
defaults, not using the backup, only setting the strict minimum
(WPA2-Enterprise
Benjamin Malynovytch wrote:
Thank you for your *great* contribution.
You're welcome.
PS: Do you sometimes read peoples messages or do you just use automatic
answers ?
I read *everything* on this list.
I generally answer *good* questions. I ignore *bad* questions.
But yes, many
Hi!
Just like the title,it work fine when I use MSCHAPV2 or MD5, But
PEAP and EAP-TLS not works.
I test Radius with eapol_test,It also work fine.
Who can tell me the reason?
WPA_supplicant config file ,Radius log, WPA_supplicant log as
follow
关旭 wrote:
Just like the title,it work fine when I use MSCHAPV2 or MD5, But
PEAP and EAP-TLS not works.
I test Radius with eapol_test,It also work fine.
Who can tell me the reason?
The debug log you posted has the answer. In big bold letters.
Read
: !!
?
I don't think is this,beause my client is wpa_supplicant not MS client, and
eapol_test work fine.
On wpa_supplicant log,we can see:
EAP-TLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect
关旭 wrote:
WARNING:
!!
WARNING: !! EAP session for state 0x24e5fa322535f760 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
Dear list members,
Before writing this email, I spent hours in debug and reading ML and howto.
The configuration I'm trying to debug was working a couple of weeks ago.
The wifi access point became faulty (antenna broken) and was replaced in
RMA (Cisco WAP200-EU).
Before sending the AP back, I
If you haven't touched FR then don't look there as that's not what has changed.
Tour problem has already been identified - the bit that got changed.
No changes should be made on FR or on the clients
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stephane Brodeur wrote:
I am a newbie to Freeradius and I am having a real hard time to
implement EAP-TLS using self-signed certificate.
Why? The server comes with scripts that create self-signed certs.
See raddb/certs. If you search google for freeradius eap-tls howto,
the first link
On Sun, Jun 17, 2012 at 11:07:31PM -0400, Stephane Brodeur wrote:
My problem is the following error message when running eapol_test
TLS: Trusted root certificate(s) loaded
OpenSSL: SSL_use_certificate_file (DER) -- OK
OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed
Hi,
I am a newbie to Freeradius and I am having a real hard time to implement
EAP-TLS using self-signed certificate.
My certificate seems valid:
Server Certificate
[root@localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem xplab.pem
xplab.pem: OK
Client certificate
[root@localhost CA
On 30/04/12 13:18, jinx_20 wrote:
But I sill cannot understand why FR allowed to connect when I had removed
Sub2_CA certificate from cert store.
Just to emphasise, unless I'm mistaken it is OpenSSL that was validating
or rejecting the cert. The FreeRADIUS verify callback doesn't override
Phil, can you look at the certs I provided?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675205.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info
with the TLS
protocol, you could use wireshark to capture and inspect an EAP-TLS
conversation. The dissector will reassemble the TLS exchange, and you
can check the correct certs are being sent over the wire in the correct
order.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
understand why FR allowed to connect when I had removed
Sub2_CA certificate from cert store.
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675822.html
Sent from the FreeRadius - User
==
-END CERTIFICATE-
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5669595.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe
the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 95
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] TLS 1.0 Handshake [length 005a
As soon as I delete Sub2 CA (that is, the CA certificate of the certificate
authority which issued client's certificate) I am able to connect
successfully.
Does FR know this Sub2 CA? i.e: is CA certificate chain file referenced in
eap.conf?
If not, try to concatenate certificate authority
As I mentioned before CA_file in the eap.conf is set to
${cadir}/Sub2_CA_*entire_chain*.pem
Is there any difference between concatenated CA file and certificate chain?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664397.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
http
correct?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664500.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http
On 25/04/12 10:39, jinx_20 wrote:
Is there any way to configure FreeRadius server to explicitly accept
intermediate CAs received from the client supplicant?
No, it should not be needed and should work; but there might be a logic
error in the various SSL verify options or callbacks; OpenSSL
2012/4/25 jinx_20 gabriel_skup...@o2.pl
Ok, to be sure that we understand each other...
My Sub2_CA_entire_chain.pem looks like this:
-BEGIN CERTIFICATE-
XX
-END CERTIFICATE-
-BEGIN CERTIFICATE-
Y
-END
required certificates.
Regards,
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664601.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe
On 25/04/12 12:42, jinx_20 wrote:
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on
Feb 2 2012 at 15:38:19
OpenSSL 0.9.8o 01 Jun 2010
I wouldn't like to share our private production certificates but if you
really need it to help us I will set up a mirror testing PKI
hi list,
i want to authenticate windows 7 computers with tls certificates.
the certs have the special windows OIDs, but i still get the error from below.
on the website http://wiki.freeradius.org/Certificate_Compatibility there is
only winxp mentioned.
is there maybe any difference with windows
up and just didn't reply to the EAP-TLS
start.
If in doubt, use the default FR config, get it to generate the
certs (which will be done properly) and install and test with
that. Then you should know that the FR/cert side is 100% ok, and
it must be your Windows settings. Then tweak from
Prateek Kumar wrote:
I am using EAP-TLS for authentication, USERs are getting authenticated
even when I have not defined the user in USERS file.
That's how EAP-TLS works. You issued a client certificate.
Possession of the client certificate means that the user is authenticated.
1
Thanks Alan
On Wed, Mar 28, 2012 at 9:25 PM, Alan DeKok al...@deployingradius.comwrote:
Prateek Kumar wrote:
I am using EAP-TLS for authentication, USERs are getting authenticated
even when I have not defined the user in USERS file.
That's how EAP-TLS works. You issued a client
Hi ,
I am using EAP-TLS for authentication, USERs are getting authenticated even
when I have not defined the user in USERS file.
I have not changed any default configuration. Certificates are made by the
makefile provided. Windows client is having both root client certificates
installed
Hi!
We've currently a MAC authentication running with dynamic VLANs via SQL for
wired clients. We return the wished VLAN for the client by using the SQL
function authorize_reply_query. We now want to add 802.1x EAP-TLS as supported
authentication method. I got the setup sofar that I'm able
users mailing list
Betreff: Re: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi,
On Thu, Mar 22, 2012 at 03:24:41PM +0100, PENZ Robert wrote:
And how can I use the CN of the certificate in the SQL query? I
believe I need one query for MAC and one for EAP-TLS, as for one
I
.x arrives, there is a new feature that lets you do it in an
eap-tls virtual server authorize section, but that's not available
yet. Still, there should be no need for that unless you want to
reject connections based on TLS certificate data, rather than just
set the VLAN.
Matthew
--
Matthew
On 22/03/12 15:27, PENZ Robert wrote:
Hi!
Thx for the fast response!
But how to I execute the SQL authorize_reply_query query after I did
a EAP authentication? I don't do that currently in post-auth. I just
have the sql modul activated in authorize.
Like this:
post-auth {
if
authentication with different hotspots we
are using EAP-TLS. The user registers with us then downloads an installer
containing the certificates and x-supplicant, then installs them. All the
hotspots are configured to authenticate users with our server and the
server is a generic freeradius configured for EAP
Hello,
I am considering if it is worth to use PEAP with eap-tls in the inner
tunnel, so peap-eap-tls.
I find it useful for windows people authenticationg in the eduroam
environment.
Anyway I did not find documentation about it aside this note
http://wiki.freeradius.org/EAP-PEAP
and I would
Riccardo Veraldi wrote:
I find it useful for windows people authenticationg in the eduroam
environment.
Anyway I did not find documentation about it aside this note
How about reading raddb/eap.conf ?
http://wiki.freeradius.org/EAP-PEAP
and I would like to implement it.
is there someone
On Mon, Feb 27, 2012 at 11:24:33AM +0100, Riccardo Veraldi wrote:
I am considering if it is worth to use PEAP with eap-tls in the
inner tunnel, so peap-eap-tls.
It works, although there's not generally good reasons for doing so
as EAP-TLS should be good enough. Main reason is probably to
enable
On 01/20/2012 01:08 AM, Matthew Newton wrote:
The 'normal' PEAP with MS-CHAPv2 works fine giving the SoH
details, but has to be user authentication on the client.
EAP-TLS works fine presenting the certificate to connect to the
network (Microsoft's so-called computer auth), but doesn't, as
far
Hi,
It's working!
On Fri, Jan 20, 2012 at 08:28:49AM +0100, Alan DeKok wrote:
Matthew Newton wrote:
Does anyone know if FreeRADIUS now supports Microsoft
PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in
It's not a widely used feature.
Obviously :-) SoH is the only reasonably
Hi,
Does anyone know if FreeRADIUS now supports Microsoft
PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in
Windows (not plain EAP-TLS, or PEAP/MS-CHAPv2, which both work
fine)? This post from 2007 (and FR 1.0.1) indicates that it didn't
work then, wondered if that's changed at all
Hi everyone,
Is there a way to run a module only during the first EAP-TLS handshake?
for example:
authorize {
preprocess
if (??? == ???) {
echo
}
...
}
I simply want the 'echo' module to run once during thr first auth.
The reason being the 'echo
Victor Tangendjaja wrote:
Is there a way to run a module only during the first EAP-TLS handshake?
Track the information in a database.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew Newton wrote:
Does anyone know if FreeRADIUS now supports Microsoft
PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in
Windows (not plain EAP-TLS, or PEAP/MS-CHAPv2, which both work
fine)? This post from 2007 (and FR 1.0.1) indicates that it didn't
work then, wondered
Hi!
We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
working, but after seeing a tcpdump, the Radius Server is sending all known
CA Certificates to the Client during EAP TLS Negotiation.
Our Config looks like this:
private_key_file = ${certdir}/radius_server.key
Daniel Finger wrote:
We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
working, but after seeing a tcpdump, the Radius Server is sending all known
CA Certificates to the Client during EAP TLS Negotiation.
That's largely how EAP-TLS works.
CA_file = ${cadir
Hi!
As far as I can see the Server does not send the full certificates, but only
announces the certificates the server knows. I did not read the RFC yet, but
I assume that this only informs the client which certificates can be
requested to verify the server certificate chain.
Am 04.01.2012
Frank wrote:
Ah, I'm awfully sorry for not correctly using the relevant terminology. I
suppose most people could guess I was talking about WPA2 enterprise when I
mentioned EAP-TLS for wireless authentication.
No. WPA has a defined meaning, independent of WPA2.
It's like telling
: Re: ppp and eap-tls
Frank wrote:
This statement is confusing! I'm using freeradius for EAP-TLS auth
and set up the client for WPA2 enterprise with EAP-TLS. If this is not
using certificates for authentication, then what is it using?
sigh WPA != WPA2 enterprise
You're confused
Alan DeKok wrote:
Frank wrote:
Ah, I'm awfully sorry for not correctly using the relevant terminology. I
suppose most people could guess I was talking about WPA2 enterprise when I
mentioned EAP-TLS for wireless authentication.
No. WPA has a defined meaning, independent of WPA2.
FWIW
Hi,
I'm using freeradius for EAP-TLS authentication with my WPA NAS, with MS-CHAPv2
for ppp auth (in a L2TP/IPSEC VPN) and for a while for EAP-TLS for ppp auth
(about half a year ago).
However, without me consciously changing anything in my setup (running Debian
Squeeze, connecting clients
.
It might be an idea in future to add an inner-tunnel feature for
EAP-TLS which sends a plain PAP packet with the TLS-* attributes, which
allows this kind of checking.
You need to use the verify { } option under the tls { } config to
run an external script. Like so:
eap {
tls {
verify
Frank wrote:
I now get the following error in my radius log on an auth attempt:
Error: TLS Alert write:fatal:decrypt error
Error: TLS_accept: failed in SSLv3 read certificate verify B
Error: rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not
Hi,
-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Wednesday, December 28, 2011 15:40
To: FreeRadius users mailing list
[mailto:freeradius-users@lists.freeradius.org]
Subject: Re: ppp and eap-tls
Alan wrote:
I now get the following error in my
Frank wrote:
This statement is confusing! I'm using freeradius for EAP-TLS auth and set up
the client for WPA2 enterprise with EAP-TLS. If this is not using
certificates for authentication, then what is it using?
sigh WPA != WPA2 enterprise
You're confused because you're confusing two
to chooser NAS. I want to avoid clients to
enter loop authentication. But these client can request authentication through
NAS choosen.
Cheers.
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls questions with freeradius
Date: Fri, 23 Dec 2011 10:32:54 +
On Mon, Dec 26, 2011 at 9:44 PM, vazoumana fofana
zoumlan...@hotmail.com wrote:
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap) with :
Auth-Type eap {
if ( %{TLS-Client-Cert-Subject} =~ /OU=x/ ) {
Do you know where i can insert script to add new fonctions like described in
my previous email ?
When client sends its certificate , server checks before username or
certificate validity ?
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls questions
On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana
zoumlan...@hotmail.com wrote:
Do you know where i can insert script to add new fonctions like described
in my previous email ?
When client sends its certificate , server checks before username or
certificate validity ?
Try:
-
Thanks!!!
Date: Fri, 23 Dec 2011 16:26:20 +0700
Subject: Re: eap/tls questions with freeradius
From: l...@fajar.net
To: freeradius-users@lists.freeradius.org
On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana
zoumlan...@hotmail.com wrote:
Do you know where i can insert script to add
Hi ,
i've got a question :
i've set up a freeradius server with EAP/TLS.
In my configuration, i use check_cert_issuer in order to check certificate.
Is there any functions wich allows me to check client's certificate subject
(C,O,OU ??) ?
Further more, i got an other question :
when a client
Precisely, i search check_cert_subject wich checks client's certificate field.
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: eap/tls questions with freeradius
Date: Tue, 20 Dec 2011 12:23:50 +
Hi ,
i've got a question :
i've set up a freeradius
why?
really, why? wat purpose does testing these dates have - you really think
your current infrastructure, and techologies such as 802.1X are going
to be around in the same format in even 20 years time?
No, of course not:)
This is my curiosity led me to test such date.
Victor Guk wrote:
I tried on a 64 bit computer. The same result.
Ask the OpenSSL people why their library can't handle dates after 2050.
FreeRADIUS can't handle dates after 2038, due to 32-bit limitations of
the timestamp in RADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hello
I have SLES 11 SP1(64bit), freeradius 2.1.12 and openssl 0.9.8r.
I set up authentication with EAP/TLS.
Server and client certificates are valid until 3011 year. Here they are:
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 5 07:05:02 2011 GMT
Not After : Apr 7 07:05
On 12/05/2011 08:25 AM, Victor Guk wrote:
[tls] TLS 1.0 Handshake [length 0249], Certificate
-- verify error:num=9:certificate is not yet valid
[tls] TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert write:fatal:bad certificate
This error comes from within OpenSSL. FreeRADIUS
hi,
why?
really, why? wat purpose does testing these dates have - you really think
your current infrastructure, and techologies such as 802.1X are going
to be around in the same format in even 20 years time?
anywayI'm guessing these are 32 bit server and client OS ?
you may find, in that
Hi,
why?
really, why? wat purpose does testing these dates have - you really think
your current infrastructure, and techologies such as 802.1X are going
to be around in the same format in even 20 years time?
To be honest, I'm thinking of a similar thing. Given how painful a CA
rollover can
This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL
tells it.
Can you verify the cert with the openssl verify ... test command? e.g.
try this:
openssl verify -CAfile ca.pem -purpose sslserver server.pem
freeradius:/usr/local/CA # openssl verify -CAfile cacert.pem
I would have done this ages ago if I knew where to find a more comprehensive
manual explaining it all, rather than relying on bits of info scattered in
thousand different places. The freeRADIUS wiki isn't terribly helpful either
- this -
101 - 200 of 1808 matches
Mail list logo
