Smith, Brian (ESEA ISA) wrote:
We are running freeradius, version 1.1.7, on Fedora. We are testing
WPA2/EAP-TLS authentication, with large certificate chains (just under
64K in PEM format).
Ouch... that's big.
Some individual cert sizes in the chain approach
10K in DER format
Googling suggested that simply catting the 2 certs (server and
intermediate) into a single file (server at top, intermediate at
bottom)
and listing that in the config as the certificate_file should work
No, that's not going to work. Client machine will still look for the
intermediate CA in
So there is no way at all to get the client to pick up the cert chain
without directly installing the intermediate cert on it?
No.
Is this
actually a client issue of it refusing to use chains for this then,
rather than a FreeRADIUS issue of it not passing the chain?
Yes.
Thanks very much for
Meyers, Dan wrote:
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which
does
not require a client certificate. My understanding however is that
for
passing of the server certificate to validate our server to the
clients
the options with the tls subsection of the eap.conf
to XP appears to not
automatically trust it.
Our config is as follows:
eap {
tls {
private_key_file = ${confdir}/certs/wireless4.key
certificate_file = ${confdir}/certs/wireless4-verisign-crt.pem
# note: this is *our* local CA, trusted for EAP-TLS client certs
CA_file = ${confdir
Hi,
We are running freeradius, version 1.1.7, on Fedora. We are testing
WPA2/EAP-TLS authentication, with large certificate chains (just under
64K in PEM format). Some individual cert sizes in the chain approach
10K in DER format. If the chain is small enough to fit in a single TLS
message
Hi,
* Smith, Brian (ESEA ISA) brian.sm...@honeywell.com [Fri, 20 Feb 2009
11:15:01 -0700]:
We are running freeradius, version 1.1.7, on Fedora. We are testing
WPA2/EAP-TLS authentication, with large certificate chains (just under
64K in PEM format). Some individual cert sizes in the chain
of
the EAP/PEAP/MSCHAP etc user auth with it. On my other system we are
using it for client MAC auth via perl modules.
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which does
not require a client certificate. My understanding however is that for
passing of the server certificate
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which does
not require a client certificate. My understanding however is that for
passing of the server certificate to validate our server to the clients
the options with the tls subsection of the eap.conf file are still used
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which
does
not require a client certificate. My understanding however is that
for
passing of the server certificate to validate our server to the
clients
the options with the tls subsection of the eap.conf file are still
used
Googling suggested that simply catting the 2 certs (server and
intermediate) into a single file (server at top, intermediate at bottom)
and listing that in the config as the certificate_file should work
No, that's not going to work. Client machine will still look for the
intermediate CA in it's
failed to find anything online or in the docs explaining
*what* i'm doing wrong, so i'm posting here.
We've had a FreeRADIUS server set up for some time now, with an SSL
certificate directly signed by one of Verisign's root CA's, for the
purposes of doing EAP-TLS domain auth. This worked fine
What i've got currently can be up to 3 files. Firstly, the server
certificate itself, which has been signed by Verisign's Intermediate CA,
then the cert for said Intermediate CA, and finally the root cert used
to sign the Intermediate CA. My current setup is with the server cert in
a file on it's
I've actually dropped the -crl_check from this test, as i'm not doing
crl checking within FreeRADIUS until i've got it working without it.
Also, this command didn't seem to work when my verisign.pem contained
1 cert, even after a c_rehash, it only worked if all the certs were
in
individual
My client is still giving the same behaviour of not getting the
certificate chain, however.
OK. So which certificate signed the client certificate?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
server set up for some time now, with an SSL
certificate directly signed by one of Verisign's root CA's, for the
purposes of doing EAP-TLS domain auth. This worked fine on both
FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a
month, and it would appear no one issues root signed
of Verisign's root CA's, for the
purposes of doing EAP-TLS domain auth. This worked fine on both
FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a
month, and it would appear no one issues root signed certs any more,
they're all cert chains. Obviously with things like apache this is fine
There are other solutions around as well to distribute and manage client
side certificates. Not cheap, but they do exist.
//anders
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
remain WPA2/EAP-TLS. For compliance
there is no flexibility of the security of that WLAN. *sigh* OK no
worries it makes it a cool problem to solve. :-)
So I've just got a laptop temporarily setup with a little ad-hoc
network for provisioning the phones via tftp. These will be in a
dozen remote
Luciano Afranllie wrote:
You can check and may be take some ideas from wimax forum guys.
Unfortunately, no.
Go to www.wimaxforum.org. Register and login. Go to Network Working
Group and check for OTA Provisioning and Network Architecture (stage 2
and 3) specifications.
Access is for
Matt Causey wrote:
However a pretty big limitation of this security architecture is of
course getting the SSL key material onto the devices. In our case -
the devices are SIP phones with no wired ethernet connection. I know
there are other sites with similar issues.
How do you get the
On Fri, Jan 30, 2009 at 8:08 AM, Alan DeKok al...@deployingradius.com wrote:
Luciano Afranllie wrote:
You can check and may be take some ideas from wimax forum guys.
Unfortunately, no.
Go to www.wimaxforum.org. Register and login. Go to Network Working
Group and check for OTA Provisioning
Hi,
just to give an update on my efforts to make XP SP3 work with EAP-TLS.
Machine based EAP-TLS authentification works for WIRED connections fine,
as I wrote in the last mail. BUT that doesn't mean that it works for
wireless connections. :-) Before SP3 there wasn't a problem
I am running FreeRadius at my company on a WLAN - using SSL key
material issued by our internal certificate authority. All is well.
However a pretty big limitation of this security architecture is of
course getting the SSL key material onto the devices. In our case -
the devices are SIP phones
Alexandros Gougousoudis wrote:
Hi,
just to give an update on my efforts to make XP SP3 work with EAP-TLS.
Machine based EAP-TLS authentification works for WIRED connections
fine, as I wrote in the last mail. BUT that doesn't mean that it works
for wireless connections. :-) Before SP3
On Thu, Jan 29, 2009 at 12:52 PM, Matt Causey matt.cau...@gmail.com wrote:
I am running FreeRadius at my company on a WLAN - using SSL key
material issued by our internal certificate authority. All is well.
However a pretty big limitation of this security architecture is of
course getting
Ivan Kalik t...@kalik.net wrote:
We are currently using EAP-TLS authentication with FreeRADIUS at the place
where I work right now. Management would like to be able to restrict the
use
of a given certificate for this authentication to specific MAC addresses.
In
other words
So how would I do the same thing for a certificate instead of a username?
Ther will be a username in EAP-TLS request too.
From everything that I have been able to read, the user name in a EAP-TLS
request should come from the CN value of the certificate. Does this
sound correct?
I haven't
We are currently using EAP-TLS authentication with FreeRADIUS at the place
where I work right now. Management would like to be able to restrict the
use
of a given certificate for this authentication to specific MAC addresses.
In
other words, for each certificate, the desire is to tie
X509v3 Extended Key Usage: critical
TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
10:c4:7c:60:3f:d2:44:de:8b:79:01:d9:ce:3d:0e:af:59:c9:
[...]
f7:80:cc:0f:42:db:b3:fd
Don't know what to do. Have you tried a machine-based EAP-TLS
Alexandros Gougousoudis a écrit :
Hi Ivan,
Try signing client certificates with the ca certificate. I have included
modified Makefile for 2.1.3. I have added make caclient.pem to
produce client certificates and cleanca to remove them. Try
importing caclient.p12 created this way onto the user
Thanks for your reply, but that is already what I do. I have created a
CA in TinyCA and the server has a signed server-cert and each client has
a signed client-cert (both with the XP specific usage attributes). The
CA is of course imported into the trusted authorities branch. The CN ist
the
Hi Thiebault,
you saved me. AGAIN! :-) That was the clue, not including the Email in
the DN, just saying no in TinyCA was the first step to the solution. XP
SP3 took then the cert for auth.
@Ivan: Thanks for your reply, but it's not an TinyCA issue.
Second step was, that 2000/XP = SP2
Ivan Kalik t...@kalik.net wrote:
We are currently using EAP-TLS authentication with FreeRADIUS at the place
where I work right now. Management would like to be able to restrict the use
of a given certificate for this authentication to specific MAC addresses. In
other words, for each
to authenticate an XP
SP3 machine with EAP-TLS to Freeradius. I mean, XP has a
market-domincnce of 95% and this problem should also occur if you
authenticate via WLAN. So there must be a solution and I'am doing
something terrebly wrong.
I'd like to hear from at least one person that it works
-usage, also no success. I'am
a bit worried about the registry-errors in the logs I've posted.
It looks like SP3 will not allow server certificate to be used as
intermediate CA.
I can't believe that I'am the first one who tried to authenticate an XP
SP3 machine with EAP-TLS to Freeradius. I mean
Hello all,
We are currently using EAP-TLS authentication with FreeRADIUS at the place
where I work right now. Management would like to be able to restrict the use
of a given certificate for this authentication to specific MAC addresses. In
other words, for each certificate, the desire is to tie
We are currently using EAP-TLS authentication with FreeRADIUS at the place
where I work right now. Management would like to be able to restrict the use
of a given certificate for this authentication to specific MAC addresses. In
other words, for each certificate, the desire is to tie
So whats the problem? Is there some kine of Registry hassle? I took a
new PC with a new XP Pro (inkl. SP3) installed. There are no old
leftovers. So eap looks very buggy and beta. The certs are ok, they work
with XP SP2, so why doesn't want SP3 it?
I'am using now Freeradius 1.1.6 (I had 1.1.0)
service is of
course set to automatic and it's running.
If I downgrade my machines to SP2, radius works immediately. So I think
the cert creation differs from old XP. Are there any hints about it? I
googled for Vista and Freeradius or SP3, but most information is not for
eap-tls
Hi,
I tried to compile the 1.1.7 OpenSUSE 10.1. But I get the following
error at the end:
Processing files: freeradius-dialupadmin-1.1.7-0.suse1010
Processing files: freeradius-devel-1.1.7-0.suse1010
Checking for unpackaged file(s): /usr/lib/rpm/check-files
/var/tmp/freeradius-1.1.7-build
? If that is
the recommended path do you think there is an ideal OS to run
Freeradius/Openssl for eap-tls functionality?
Thanks,
Brian
-Original Message-
From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on
behalf of John Dennis
Sent: Mon 1/12/2009 3:01 PM
Hi
solved it. Must be a bug in 1.1.7. I used 1.1.6 and all works fine
(inkl. XP SP3).
cu
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need to
reinstall my OS? If that is the recommended path do you think there is an ideal OS to
run Freeradius/Openssl for eap-tls functionality?
No, you don't need to reinstall your OS, that would be insanely
overkill. The old install probably won't conflict because it installed
in a completely
to reinstall my OS?
If that is the recommended path do you think there is an ideal OS to run
Freeradius/Openssl for eap-tls functionality?
No, you don't need to reinstall your OS, that would be insanely
overkill. The old install probably won't conflict because it installed
in a completely
Brian Ertel wrote:
John,
You are right, but the dir where the old radius was make installed is
gone. That is the original folder that was created after unzipping and
installing the old ver. Of radius is gone. Is there anything else I can do?
You can recreate the tree, follow the same steps
On Tue, 2009-01-13 at 11:46 -0500, John Dennis wrote:
Brian Ertel wrote:
John,
You are right, but the dir where the old radius was make installed is
gone. That is the original folder that was created after unzipping and
installing the old ver. Of radius is gone. Is there anything else
I will clean up /sbin first. I understand this is a fr email list and
appreciate the help with the basic OS stuff. I will try to keep this type
of stuff of the list in the future.
Thanks again,
Brian
On 1/13/09 11:51 AM, Craig White craigwh...@azapple.com wrote:
On Tue, 2009-01-13 at 11:46
hi,
linux admin task:
you can also do 'make -n install' and this will show
you what and where make is going to put the files (its
a test/dummy run) - then you can grep through the
output for eg /usr/local and see what files to
get rid of. as well as the tools themselves - radiusd,
radtest etc,
Thank you Alan.
Brian
On 1/13/09 1:01 PM, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk
wrote:
hi,
linux admin task:
you can also do 'make -n install' and this will show
you what and where make is going to put the files (its
a test/dummy run) - then you can grep through the
output
Craig White wrote:
On Tue, 2009-01-13 at 11:46 -0500, John Dennis wrote:
Brian Ertel wrote:
John,
You are right, but the dir where the old radius was make installed is
gone. That is the original folder that was created after unzipping and
installing the old ver. Of radius is gone.
On Tue, 2009-01-13 at 13:33 -0500, John Dennis wrote:
Craig White wrote:
On Tue, 2009-01-13 at 11:46 -0500, John Dennis wrote:
Brian Ertel wrote:
John,
You are right, but the dir where the old radius was make installed is
gone. That is the original folder that
is not a .src.rpm file right?
Brian
-Original Message-
From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on
behalf of John Dennis
Sent: Tue 1/13/2009 1:33 PM
To: FreeRadius users mailing list
Subject: Re: eap/tls freeradius openssl
Craig White wrote
Thanks John, no prob.
Brian
On 1/13/09 4:28 PM, John Dennis jden...@redhat.com wrote:
Brian Ertel wrote:
John,
In the FAQ under the title Install the desired rpm's it reads:
The rpm's under /usr/src/redhat/RPMS are the packages you'll want to install.
% sudo rpm -Uhv
@lists.freeradius.org on
behalf of John Dennis
Sent: Tue 1/13/2009 4:28 PM
To: FreeRadius users mailing list
Subject: Re: eap/tls freeradius openssl
Brian Ertel wrote:
John,
In the FAQ under the title Install the desired rpm's it reads:
The rpm's under /usr/src/redhat/RPMS are the packages you'll
Brian Ertel wrote:
John,
In the FAQ under the title Install the desired rpm's it reads:
The rpm's under /usr/src/redhat/RPMS are the packages you'll want to install.
% sudo rpm -Uhv /usr/src/redhat/SRPMS/freeradius-2.1.1-7.fc10.src.rpm
On Tue, 2009-01-13 at 16:38 -0500, Brian Ertel wrote:
Oh, and should I include the /i386 dir and the i386.rpm suffix like:
rpm -Uhv /usr/src/redhat/RPMS/i386/freeradius-2.1.3-1.i386.rpm
/usr/src/redhat/RPMS/i386/freeradius-libs-2.1.3-1.i386.rpm
suggestion...make life easy on yourself
Brian Ertel wrote:
Oh, and should I include the /i386 dir and the i386.rpm suffix like:
rpm -Uhv /usr/src/redhat/RPMS/i386/freeradius-2.1.3-1.i386.rpm
/usr/src/redhat/RPMS/i386/freeradius-libs-2.1.3-1.i386.rpm
Yes, use the filenames rpmbuild generated (it will tell you)
--
John Dennis
Cool, thanks.
Brian
On 1/13/09 4:58 PM, John Dennis jden...@redhat.com wrote:
Brian Ertel wrote:
Oh, and should I include the /i386 dir and the i386.rpm suffix like:
rpm -Uhv /usr/src/redhat/RPMS/i386/freeradius-2.1.3-1.i386.rpm
/usr/src/redhat/RPMS/i386/freeradius-libs-2.1.3-1.i386.rpm
Hi,
I have a lot of problems doing an EAP-TLS authentification with
Freeradius 2.1.3. We're doing a machine-based authentification with
certs, using EAP-TLS with 802.1x capable Linksys switches (cable based).
We had NO problems at all with Freeradius 1.1.0 and Windows 2000 SP4 and
XP SP2
Hi,
With XP SP3 the auth failed, I googled that FR 1.1.0 is not capable to
do this, because SP3 is realizing the same 802.1x engine as Vista does.
So I upgraded to 2.1.3 and compiled it on OpenSuse 10.1 without errors
and the software runs without problems. But the auth still doesn't
Can you post the debug of the *same* client certificate being accepted
from the SP2 machine and rejected from SP3.
Ivan Kalik
Kalik Informatika ISP
Dana 12/1/2009, Alexandros Gougousoudis
gougousoudis-l...@servicecenter-khs.de piše:
Hi,
I have a lot of problems doing an EAP-TLS
White
Sent: Fri 1/9/2009 2:41 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls freeradius openssl
http://wiki.freeradius.org/Red_Hat_FAQ
nice wiki
On Fri, 2009-01-09 at 14:21 -0500, Brian Ertel wrote:
Alan,
I am running CentOS 5.
Thanks,
Brian
-Original
Brian Ertel wrote:
Ok, I think I've installed everything correctly (according to the faq) but
obviously not. starting radius in debug I still get:
Perhaps you built and installed things correctly, it's hard to tell, but
you might have more than one version installed and you might be
hi,
did you follow the fedora/redhat quid as posted to
this list - or did you just install openssl-devel and try
the daemon again? if so, that wont work. you will need to
rerun the ./configure and make steps again for the
system to learn your got the SSL support installed..and
thus compile in
I installed the openssl and openssl-devel rpms and the freeradius SRPM with
all dependency rpms...
Brian
On 1/12/09 3:39 PM, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk
wrote:
hi,
did you follow the fedora/redhat quid as posted to
this list - or did you just install openssl-devel and
Brian Ertel wrote:
I installed the openssl and openssl-devel rpms and the freeradius SRPM with
all dependency rpms...
You didn't follow the instructions in the FAQ.
You must build the SRPM and install the resulting RPM's. Please folow the
instuctions in the FAQ.
A SRPM contains the source
Hi,
I installed the openssl and openssl-devel rpms and the freeradius SRPM with
all dependency rpms...
..but before you ran your own version up? if so,
you're still running your own version
which radiusd
will probably say /usr/local/sbin/radiusd
you need to run the version the SRPMS would
+bsertel=amherst@lists.freeradius.org on
behalf of a.l.m.bu...@lboro.ac.uk
Sent: Mon 1/12/2009 5:06 PM
To: FreeRadius users mailing list
Subject: Re: eap/tls freeradius openssl
Hi,
I installed the openssl and openssl-devel rpms and the freeradius SRPM with
all dependency rpms...
..but before
Brian Ertel wrote:
I obeyed the faq's every command and get caught up on this:
[r...@freeradius redhat]# rpmbuild -ba rpmbuild /usr/src/redhat/SPECS/freeradius.spec
error: failed to stat /usr/src/redhat/rpmbuild: No such file or directory
My apologies, there was a typo in the FAQ, the
Ahhh, ok. Tomorrow's another day
Thanks John,
Brian
From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on
behalf of John Dennis
Sent: Mon 1/12/2009 6:14 PM
To: FreeRadius users mailing list
Subject: Re: eap/tls freeradius openssl
Ok,
I am ready to get flamed. I reinstalled the newest ver. of Freeradius and did
not change anything. It started up in debug mode. I am trying to put together
a system that will do eap/tls. Wireless client - WAP - Radius... I also
just installed the newest version of openssl
Brian Ertel wrote:
I am ready to get flamed. I reinstalled the newest ver. of Freeradius
and did not change anything. It started up in debug mode. I am trying
to put together a system that will do eap/tls. Wireless client - WAP
- Radius... I also just installed the newest version
Alan,
I am running CentOS 5.
Thanks,
Brian
-Original Message-
From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on
behalf of Alan DeKok
Sent: Fri 1/9/2009 2:15 PM
To: FreeRadius users mailing list
Subject: Re: eap/tls freeradius openssl
Brian Ertel wrote:
I
: Fri 1/9/2009 2:15 PM
To: FreeRadius users mailing list
Subject: Re: eap/tls freeradius openssl
Brian Ertel wrote:
I am ready to get flamed. I reinstalled the newest ver. of Freeradius
and did not change anything. It started up in debug mode. I am trying
to put together a system
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls freeradius openssl
http://wiki.freeradius.org/Red_Hat_FAQ
nice wiki
On Fri, 2009-01-09 at 14:21 -0500, Brian Ertel wrote:
Alan,
I am running CentOS 5.
Thanks,
Brian
-Original Message-
From: freeradius-users-bounces
and
freeradius-openssl-dev rpm?
Thanks,
Brian
-Original Message-
From: freeradius-users-bounces+bsertel=amherst@lists.freeradius.org on
behalf of Craig White
Sent: Fri 1/9/2009 2:41 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls freeradius openssl
This may sound like a strange request, but I'd like to know if it is
possible to use FreeRADIUS to perform EAP-TLS without asking for a
client certificate. The purpose is to allow for a secure connection
to an access point without client authentication.
EAP has nothing to do with secure
transfer of the keying material to the client without
requiring the client to authenticate itself. RFC 5216 The EAP-TLS
Authentication Protocol (http://www.ietf.org/rfc/rfc5216.txt) has
clarified that it is not mandatory that the EAP server require peer
authentication:
The certificate_request message
While WPA and WPA2 does provide for
data-link encryption, it needs keying material to encrypt the
communication. It can use a pre-shared key (PSK) for this purpose,
but this has the drawbacks of communicating the key to the user and
configuration on the end users part.
So they don't want PSK.
the identity of the server and provides
for secure transfer of the keying material to the client without
requiring the client to authenticate itself. RFC 5216 The EAP-TLS
Authentication Protocol (http://www.ietf.org/rfc/rfc5216.txt) has
clarified that it is not mandatory that the EAP server require
: EAP-TLS without client authentication
Christopher Byrd wrote:
What I am looking for a way to replace open, clear text WiFi at public
hotspots (and possibly newly installed home WiFi routers) with
something more secure.
This is network layer security.
That's where WPA-Enterprise comes
Hi,
I've modified the eap.conf, clients.conf, and users respectfully but am getting
the below error when started radius:
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: No EAP type
Brian Ertel wrote:
I've modified the eap.conf, clients.conf, and users respectfully but am
getting the below error when started radius:
You have edited *too much*.
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap:
This may sound like a strange request, but I'd like to know if it is
possible to use FreeRADIUS to perform EAP-TLS without asking for a
client certificate. The purpose is to allow for a secure connection
to an access point without client authentication. I think this might
be useful to replace
Attou eric wrote:
We are having some issues in setting up freeradius to support EAP-TLS,
EAP-TTLS and EAP-PEAP.
Our goal is to have our authentication server providing those three
Auth-Type simultaneously.
To support EAP-TLS, we generate our CA and certificates via TinyCA.
Please read
We are having some issues in setting up freeradius to support EAP-TLS,
EAP-TTLS and EAP-PEAP.
Our goal is to have our authentication server providing those three Auth-Type
simultaneously.
To support EAP-TLS, we generate our CA and certificates via TinyCA.
We also add radius' log after
On Thu, Dec 11, 2008 at 9:16 AM, Attou eric gouroue...@yahoo.fr wrote:
Hi Everybody.
We are having some issues in setting up freeradius to support EAP-TLS,
EAP-TTLS and EAP-PEAP.
Our goal is to have our authentication server providing those three
Auth-Type simultaneously.
To support EAP
henry1412 wrote:
I want to build a IEEE 802.1x authentication environoment and
I have installed freeradius-1.0.2,
Why? It's outdated and has serious security flaws in EAP.
I just do some testing with old version who had more documents. It seem
the old version also can run well, but I cann't
Under my freeradius and ap current configuration, I can be success
authenticated by windows xp client, but failed by linux client of
wpa_supplicant-0.4.8. What's wrong with my setting? Is my wpa_supplicant
version too old or my wpa_supplicant config file has some problem?
-
List
Under my freeradius and ap current configuration, I can be success
authenticated by windows xp client, but failed by linux client of
wpa_supplicant-0.4.8 What's wrong with my setting? Is my wpa_supplicant
version too old or my wpa_supplicant config file has some problem?
And you are asking
On Tue, Dec 9, 2008 at 5:35 AM, Alan DeKok [EMAIL PROTECTED]wrote:
Jason Wittlin-Cohen wrote:
I already do that with the Juniper Access Client. The problem is that
the client certificate has the user's name as the Common Name and that
is sent in the clear. PEAP/EAP-TLS sends the user's
On Tue, Dec 9, 2008 at 5:35 AM, Alan DeKok [EMAIL PROTECTED]wrote:
Jason Wittlin-Cohen wrote:
I already do that with the Juniper Access Client. The problem is that
the client certificate has the user's name as the Common Name and that
is sent in the clear. PEAP/EAP-TLS sends the user's
Ivan,b
I already do that with the Juniper Access Client. The problem is that the
client certificate has the user's name as the Common Name and that is sent
in the clear. PEAP/EAP-TLS sends the user's certificate through the tunnel
obviating the issue. I admit this isn't a large problem
http://wiki.freeradius.org/EAP
You should be able to set ananymous as user name for outer tunnel EAP-TLS
negotiation on the supplicant and use EAP-TLS with identity hidden.
Ivan Kalik
Kalik Informatika ISP
Dana 9/12/2008, Jason Wittlin-Cohen [EMAIL PROTECTED] piše:
I'm attempting to setup
Jason Wittlin-Cohen wrote:
I already do that with the Juniper Access Client. The problem is that
the client certificate has the user's name as the Common Name and that
is sent in the clear. PEAP/EAP-TLS sends the user's certificate through
the tunnel obviating the issue. I admit this isn't
EAP/TLS TLS_accept error
Hi:
I want to build a IEEE 802.1x authentication environoment and
I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8,
wpa_supplicant-0.4.8. The authentication server is built in redhat9 ,
the database is mysql5 and client
henry1412 wrote:
I want to build a IEEE 802.1x authentication environoment and
I have installed freeradius-1.0.2, openssl-0.9.8i, hostpad-0.4.8,
wpa_supplicant-0.4.8. The authentication server is built in redhat9 ,
the database is mysql5 and client is build in linux.
Most of these software
I want to build a IEEE 802.1x authentication environoment and
I have installed freeradius-1.0.2,
Why? It's outdated and has serious security flaws in EAP.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm attempting to setup PEAPv0/EAP-TLS which uses EAP-TLS as the inner
authentication method within PEAP. Unlike EAP-TLS, PEAPv0/EAP-TLS sends the
client certificate within the secure SSL tunnel, thus protecting the user's
identity. While RFC-5216 suggests that EAP-TLS can optionally support
601 - 700 of 1808 matches
Mail list logo