Evan Vittitow wrote:
FreeRadius is booting the EAP clients if more than one EAP node shows up
on the AP.
That's impossible. RADIUS doesn't work like that.
XSupplicant and Radius give the EoAoL message to boot
additional nodes.
There is no such message in RADIUS.
And my Aironet, while
FreeRadius is booting the EAP clients if more than one EAP node shows up
on the AP. XSupplicant and Radius give the EoAoL message to boot
additional nodes. And my Aironet, while succeeded in authentication,
reasociates with the other APs in a standard assciation, not an EAP one.
-
List
I need help using TinyCA to manage certificates with FreeRadius. I keep
getting this.
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 144 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module
I've been doing reasearch and reading, and started using a GUI for my CA
called OpenCA.
Using this, I have created some certs
cacert.pem
cacert.key (Private Key)
A variety of Host certs in the format of host-cert.pem and host-key.pem.
(A Prublic/Private key per host.)
Here is my
Evan Vittitow wrote:
Here is my Xsupplicant.conf
...
This produces the following:
...
Help?
I suggest asking on the Xsupplicant list.
They *do* have a list, and it's not this one.
You're more likely to get a useful response if you ask questions on
the right list. i.e. I don't use
I'm having an issue telling my server certificate from my client
certificate:
Issues: Which of these is the client certificate, and which of these is
the server cert.
in eap.conf
private_key_file = ${raddbdir}/certs/cakey.pem
certificate_file =
Evan Vittitow wrote:
I'm having an issue telling my server certificate from my client
certificate:
Issues: Which of these is the client certificate, and which of these is
the server cert.
in eap.conf
private_key_file = ${raddbdir}/certs/cakey.pem
Evan Vittitow wrote:
Let me re-phrase, as I think I'm not quite making sense.
openssl req -new -keyout kurama.pem -out kurama.pem -days 730
openssl x509 -in kurama.pem -out kurama.crt
openssl req -new -keyout altanis.pem -out altanis.pem -days 730
openssl x509 -in altanis.pem -out
If you choose to use EAP-PEAP/MS-CHAPv2 you need 4 items:
1. A server certificate, signed by a Cert Authority serverCA
...not forgetting the relevant OID extensions peculiar to EAP-PEAP :-)
Josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers wrote:
Evan Vittitow wrote:
Let me re-phrase, as I think I'm not quite making sense.
openssl req -new -keyout kurama.pem -out kurama.pem -days 730
openssl x509 -in kurama.pem -out kurama.crt
openssl req -new -keyout altanis.pem -out altanis.pem -days 730
openssl x509 -in
Evan Vittitow wrote:
The thing is, method number 1 (EAP-TLS) makes more sense for my laptops.
Method number 2 (EAP-PEAP) makes more sense for guest laptops that are
not mine.
The FreeRadius CA wrapper scripts did not work for my distro, so I'm
having to run CA.pl and the various
Evan Vittitow wrote:
Alright, I'm going to step back and talk conceptually. The issue is that
the laptops use a combination of LDAP and Kerberos to authenticate to
the Domain Controllers.
If that's what you've designed your system to do, then it's seems to
be a problem you created for
Let me re-phrase, as I think I'm not quite making sense.
openssl req -new -keyout kurama.pem -out kurama.pem -days 730
openssl x509 -in kurama.pem -out kurama.crt
openssl req -new -keyout altanis.pem -out altanis.pem -days 730
openssl x509 -in altanis.pem -out altanis.crt
openssl req -new
Alright, I'm going to step back and talk conceptually. The issue is that
the laptops use a combination of LDAP and Kerberos to authenticate to
the Domain Controllers. (OpenLDAP and a Kerberos KDC.) to authorize and
authenticate Humans. So you get a Chicken/Egg issue. You can't
authenticate Humans
Evan Vittitow wrote:
I finally got PEAP working, nowe I have two questions, should I create a
dummy account for the mschap element of authentication. Secondly, how do
Eh? PEAP+MSCHAP requires a real account for the mschap portion.
I create additional certs for additional hosts in FreeRadius?
I finally got PEAP working, nowe I have two questions, should I create a
dummy account for the mschap element of authentication. Secondly, how do
I create additional certs for additional hosts in FreeRadius? As it is
now, I can only authenticate one node.
-
List info/subscribe/unsubscribe? See
16 matches
Mail list logo
