I have a problem authenticating with Cisco Aironet 1200 access point. I
have valid certificates on my laptop and on Freeradius.
This is the output on AP:
Interface Dot11Radio0, Deauthenticating Station 001e.4c8c.8406 Reason:
Sending station has left the BSS
Interface Dot11Radio0, Station
Tomislav Goluza wrote:
I have a problem authenticating with Cisco Aironet 1200 access point. I
have valid certificates on my laptop and on Freeradius.
Are you sure?
This is the output on AP:
Which is irrelevant.
This is what I get on freeradius:
...
Sending Access-Challenge of id 24
Original-Message
Datum: Tue, 19 Aug 2008 17:37:34 +0200
Von: [EMAIL PROTECTED]
An: freeradius-users@lists.freeradius.org
Betreff: Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4
]
An: freeradius-users@lists.freeradius.org
Betreff: Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending
Original-Message
Datum: Wed, 20 Aug 2008 09:18:57 +0100
Von: Ivan Kalik [EMAIL PROTECTED]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: Problems with EAP and LDAP replyItems (2.0.2)
radiusCallingStationId is already mapped as Calling
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP replyItems
back to the NAS along the Access-Accept packet.
In short i want to authenticate
@Arran Cudbard-Bell
/ Is the prefix and suffix to the regular expression string. Any
characters after the / suffix are used as modifiers. FreeRadius only
supports the i modifier to make matches case insensitive.
resolves to a literal back-slash. Regular expressions use the \ char as
You have to install the ca certificate and the client certificate on the
client-computer, why should client cert by signed from the server cert?
Because the idea is to authenticate those users to *that* server, not to
*every* server that got the certificate from that CA. With your approach
the
You have to install the ca certificate and the client certificate on the
client-computer, why should client cert by signed from the server cert?
Because the idea is to authenticate those users to *that* server, not to
*every* server that got the certificate from that CA. With your
@Arran Cudbard-Bell
Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape to
one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
literal in the regular expression...
I'm not so familiar with
Stefan Puch wrote:
@Arran Cudbard-Bell
Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape to
one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
literal in the regular expression...
@Alan DeKok
I'll bet that if you posted the final Access-Accept from 1.1.7 and from
2.0.1, that they would be *different*. If you make them the same, I'll also
bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
default-file,
Stefan Puch wrote:
@Alan DeKok
I'll bet that if you posted the final Access-Accept from 1.1.7 and from
2.0.1, that they would be *different*. If you make them the same, I'll also
bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an
Jeffrey Hutzelman wrote on 04.02.2008 00:43:
--On Thursday, January 31, 2008 05:42:50 PM +0100 Reimer Karlsen-Masur,
DFN-CERT [EMAIL PROTECTED] wrote:
If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your
client certificates they might not work with Windows build-in
--On Thursday, January 31, 2008 05:42:50 PM +0100 Reimer Karlsen-Masur,
DFN-CERT [EMAIL PROTECTED] wrote:
If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your
client certificates they might not work with Windows build-in supplicant.
This is not surprising, if that is the only
Stefan Puch wrote:
Therefore the Makefile is used in the same directory. I'm not really sure, but
in Line 93 where the client.pem is created it must be
-passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER)
Thanks. I've fixed that.
It would also be helpful to integrate
@Reimer Karlsen-Masur
If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client
certificates you could work around this by disabling the trust setting of
valid certificate usage Microsoft Smartcard Logon in the CAs properties in
Windows build-in certificate store on the PDA.
Stefan Puch wrote on 01.02.2008 09:57:
@Reimer Karlsen-Masur
If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your client
certificates you could work around this by disabling the trust setting of
valid certificate usage Microsoft Smartcard Logon in the CAs properties in
Windows
Stefan Puch wrote:
- running bootstrap creates ca.pem, server.pem, dh and random which are used
with the radius server (server.pem is signed with ca.pem)
- running make client.pem creates a client certificate which is signed by the
server certificate (in my opinion that cannot work
I
The first question I would like to get an answer for is: Which certificate
is
needed to sign the client certificate, the CA certificate or the server
certificate?
It's nonsense, that the server certificate signs the client certificate... it
must be signed by the ca certificate.
Sebastian
Hello again,
@Alan DeKok
But I would first suggest trying to use the test certificates that come with
2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that
there is something special about the certificates you're using.
I tried to generate some test certificates using the
Stefan Puch wrote on 31.01.2008 17:05:
Hello again,
...
@Reimer Karlsen-Masur
We know of problems with EE certificates in PDAs containing the
non-repudiation flag.
If the non-repudiation keyUsage *is part* of your client certificates they
might not work with some PDAs build-in supplicants.
Stefan Puch wrote:
Then some people came with their mobile devices which are running Windows
Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the
problems began. The same EAP-TLS certificate which worked fine on a Windows
XP machine doesn't work on e.g. Windows Mobile 6 PDA.
Stefan Puch wrote on 30.01.2008 11:13:
Hello everyone,
I've got some problems with the new version of freeradius, but before I'm
going
to open a new bugreport or post long debugtraces from radiusd -X I want to
ask
here if someone else has made similar experiences.
I've set up a
Stefan Puch wrote:
Then some people came with their mobile devices which are running Windows
Mobile
2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began.
The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't
work on e.g. Windows Mobile 6 PDA.
Hello everyone,
I've got some problems with the new version of freeradius, but before I'm going
to open a new bugreport or post long debugtraces from radiusd -X I want to ask
here if someone else has made similar experiences.
I've set up a freeradius server version 1.1.7 in our club to
Hi All
I am a newbie to freeradius. I am trying to use freeradius as an
authentication server along with a WRT54G Linksys (Cisco) access point.
On the client side i have a windows machine where i have enabled PEAP
authentication, through which it asks me for user name and password.
The
Anuj Tripathi wrote:
I am a newbie to freeradius. I am trying to use freeradius as an
authentication server along with a WRT54G Linksys (Cisco) access point.
On the client side i have a windows machine where i have enabled PEAP
authentication, through which it asks me for user name and
It still gives the same problem.
Do i need to make some changes in eap.conf ?
What are the minimal changes required for using Freeradius for PEAP
authentication ?
Following is the response that i am getting :
rad_recv: Access-Request packet from host 10.129.20.111:3591, id=0,
length=169
Anuj Tripathi wrote:
It still gives the same problem.
No, it doesn't. The output is different.
Do i need to make some changes in eap.conf ?
What are the minimal changes required for using Freeradius for PEAP
authentication ?
See the Wiki.
Following is the response that i am getting
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think the Auth-Type value is the problem, try to use an entry like
username User-Password = pass
without explicit the Auth-Type value.
but if it works i do not realy understand why it works :)
i'm a freeradius newbie too.
arjuna
-BEGIN
Hi.
I have been stuck in this problem for a quite a long time, I hope you can help
me.
I have a wireless network using WPA-Enterprise, with EAP-TLS using radius
1.0.2. The system
has been working good so far, using Windows XP clients and Linux with
wpasupplicant
with no problems.
On the
Hi Jose,
On the last month I'm having problems making new Windows XP clients connect to
the network,
even when old instalations of Windows XP SP2 are working good so far. The OEM
Windows XP on the
thats interessting, because I posted the error on the list a couple of
minutes ago. After
I tested this morning, and now have it working. Previously I just had the mschapv2 outside of the peap section and it didn't work.However, I added the mschap stanza to the modules stanza outside of eap. I also added mschap to authorize and authenticate stanzas. Not sure if this was needed, so not
-bounces+mking=[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On
Behalf Of Ian WalkerSent: Friday, September 01, 2006 8:36
AMTo: freeradius-users@lists.freeradius.orgSubject:
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't
seem
You have some items misplaced. Check against the default configuration that came with the server. In particular, mschapv2 and the contents of that
stanza.I've now re-written the stanza and placed it correctly, so it appears like this:peap { default_eap_type=mschapv2}mschapv2 {}however, there is
On 9/4/06, Ian Walker [EMAIL PROTECTED] wrote:
however, there is no default/sample config that tells me how mschapv2 should
hmhm. the very default eap.conf says inter alia:
#
# This takes no configuration.
#
[...]
mschapv2 {
}
Do you still encounter problems? If so, would you
- Original Message -
From: Ian Walker [EMAIL PROTECTED]
You have some items misplaced. Check against the default configuration
that
came with the server. In particular, mschapv2 and the contents of that
stanza.
I've now re-written the stanza and placed it correctly, so it
Hi,
just to avoid confusion:
On 9/4/06, K. Hoercher [EMAIL PROTECTED] wrote:
Oh, and btw a quick test with 1.1.3 shows that at least with that, the
statement about the (unconditional) need for configuration of the main
mschap module doesn't hold.
That's nonsense, I just messed up different
Ian Walker [EMAIL PROTECTED] wrote:
however, there is no default/sample config that tells me how mschapv2 should
be configured.
The default configuration of mschapv2 works.
Massive edits to the configuration will almost always break it.
Been trying to get eap working with peap/mschapv2 but it doesn't seem to work.This is my radiusd.conf file:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var/run
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir
, September 01, 2006 8:36
AMTo: freeradius-users@lists.freeradius.orgSubject:
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't
seem to work.This is my radiusd.conf file:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix
On Friday 01 September 2006 08:36, Ian Walker wrote:
Been trying to get eap working with peap/mschapv2 but it doesn't seem to
work.
This is my radiusd.conf file:
}
peap {
default_eap_type = mschapv2
mschapv2 {
Bill Roberts wrote:
I'm just posting my experiences in building v1.1.1 in case it is of use
to anyone else with similar problems. My system is Solaris 10 Sparc,
Freeradius v1.1.1, OpenSSL 0.9.8a, Sun compiler version 5.7 (SunStudio 10).
Thanks for the report.
This ultimately caused
Hi,
I'm just posting my experiences in building v1.1.1 in case it is of use
to anyone else with similar problems. My system is Solaris 10 Sparc,
Freeradius v1.1.1, OpenSSL 0.9.8a, Sun compiler version 5.7 (SunStudio 10).
I ran configure like this:
./configure
Johan Arens wrote:
Well thanks for the answers.
What is puzzled me, is the error message error reading client
certificate, it's like freeradius is waiting the client send it's
certificate.
Yes, it's a misleading error message, but trust me it's meaningless.
Lots of people get it. My
Johan Arens [EMAIL PROTECTED] wrote:
What is puzzled me, is the error message error reading client certificate,
it's like freeradius is waiting the client send it's certificate.
However with TTLS, the client doen't have a client certificate.
TTLS has the *option* of using a client
Hi
I'm trying to setup a freeradius server, to be able to authenticate
some handheld devices (Intermec 2415). The auth protocol supported by
the handheld is EAP-TTLS.
I've Debian Sarge, and I compiled my self freeradius 1.0.5 with openssl-0.9.7e.
(my compilation options ./configure
Johan Arens [EMAIL PROTECTED] wrote:
I cannot authenticate with the radius, I got this error when the handheld
try to auth :
Wed Feb 15 15:27:42 2006 : Info: Ready to process requests.
Wed Feb 15 15:28:21 2006 : Error: TLS_accept:error in SSLv3 read client
certificate A
Wed Feb 15
I was on the impression that radiusd -X would produce the debug log, I pasted it in the previous mail.
On 2/16/06, Alan DeKok [EMAIL PROTECTED] wrote:
Johan Arens [EMAIL PROTECTED] wrote: I cannot authenticate with the radius, I got this error when the handheld try to auth : Wed Feb 15 15:27:42
Johan Arens [EMAIL PROTECTED] wrote:
I was on the impression that radiusd -X would produce the debug log, I
pasted it in the previous mail.
shrug The message I responded to did not have the debug log.
If you're not going to supply it, then good luck solving the
problem. I wish you the
Johan Arens wrote:
Hi
I cannot authenticate with the radius, I got this error when the
handheld try to auth :
Wed Feb 15 15:27:42 2006 : Info: Ready to process requests.
Wed Feb 15 15:28:21 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
Wed Feb 15 15:28:21 2006 :
The debug log has been attached at the end of my first message.On 2/16/06, Alan DeKok [EMAIL PROTECTED] wrote:
Johan Arens [EMAIL PROTECTED] wrote:
I was on the impression that radiusd -X would produce the debug log, I pasted it in the previous mail.shrugThe message I responded to did not have
Hi
To reply to Alan Dekok here is the debug log
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file:
Really strange, because if I setup the ap to talk directly with the end
freeradius server it works ok ¿?
The problem is when I try to authenticate a valid user. I can see the
request beeing proxied and a Access-Challenge packet beeing received,
but the process stalls.
The supplicant is
=?ISO-8859-1?Q?Joseba_Beltr=E1n?= [EMAIL PROTECTED] wrote:
Really strange, because if I setup the ap to talk directly with the end
freeradius server it works ok ¿?
Then look at the packets via tcpdump. For some reason the AP or
the supplicant is ignoring the response from the server.
Alan
Hi all,
I have the following setup:
WiFi AP(10.0.0.10)---(10.0.0.1)RADIUS
1--RADIUS 2 (public ip address)
I want to proxy requests from RADIUS1 to RADIUS2 in a WPA enviroment.
I've setup all the stuff and I can see that requests are proxied. If I
=?ISO-8859-1?Q?Joseba_Beltr=E1n?= [EMAIL PROTECTED] wrote:
The problem is when I try to authenticate a valid user. I can see the
request beeing proxied and a Access-Challenge packet beeing received,
but the process stalls.
The supplicant is ignoring the response from the server. Find out
Hi alll !!!
I use: freeradius-snapshot-20040216,
openssl.0.9.7c, pcmcia card cisco and D-Link access point, XP
client
I would like to run PEAP but freeradius show me the
following error. Please, look my authenticate and authorize
modules!!!
any idea??
thanks in
Jose,
You've sent quite a bit of information to the list, but it's been pretty
much useless... The portion of the log that you are sending does not
include the *reason* that the authentication is failing. Please post
the entire portion of the log for this request (or put it on a website
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
modcall: entering group Auth-Type for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: No LM-Password or
Alan DeKok wrote:
Why the heck are you doing packet sniffing when you could run the
server in debugging mode to see what it's doing?
I was running debug mode - but the setting use_tunneled_reply didn't
change anything. After a day of debugging I realized that this was the
most idiotic
Arne Brutschy [EMAIL PROTECTED] wrote:
What I'm doing is to read the vlan id from ldap and give it to the
switch. The port the user is connected to will be added to that specific
vlan afterwards. This works just fine with EAP-MD5 or when I'm using my
real username outside the tunnel.
Then
63 matches
Mail list logo