Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
Hi everybody. This afternoon I posted a message on this ML but it was to big (150kB), because of the weight of the server log - Is being held until the list moderator can review it for approval. Could anyone (the moderator) please validate this message and submit it to the community? Thanks. Jonathan Amiez -- *** Jonathan Amiez Administrateur système j...@edatis.com *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
Jonathan Amiez wrote: This afternoon I posted a message on this ML but it was to big (150kB), because of the weight of the server log Don't post large messages. Could anyone (the moderator) please validate this message and submit it to the community? Post a smaller message. There is no reason for posting 150K of debug logs. The issue should be obvious after no more than 20-30 packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
As the title says, I'm trying to set up FreeRadius to authenticate wireless clients (employees). I just finished deploying a Samba/Ldap domain, and I'd like to take advantage of this user db. I already followed several howtos, more or less outdated. Why not just install 2.1.8? I upgraded to FR 2.1.8 from lenny-backports I'm not familiar with the bunch of protocols coming with radius and 802.1x (PEAP, CHAP, etc.), and I can't find the issue. Read the debug output, and look for peap. It is telling you why it isn't working. Sorry, I focused on the connection output more than on the starting one. See also my web site for instructions on getting EAP to work: http://deployingradius.com I have already browsed your website and followed it Therefore, I have again trouble in setting up this configuration. The problem is EAP/PEAP related, and I am not able to resolve it. I authenticate successfully with the radtest tool (locally and remotely) but I can't get radeapclient to work, and obviously my wireless client. I think it comes from this: TLS Alert read:fatal:unknown CA but I don't think I need real certs to get it working. I searched the web for hours but I can't figure it out. Below is a new debug output of my server. By the way, I'm wondering why there are several cycles for one authentication (ie Finished request x. Going to the next request...). FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 3 2010 at 15:51:52 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/ldap.bak including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file
Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
Jonathan Amiez wrote: Therefore, I have again trouble in setting up this configuration. The problem is EAP/PEAP related, and I am not able to resolve it. Post the debug log into: http://networkradius.com/freeradius.html And look for the red text. I authenticate successfully with the radtest tool (locally and remotely) but I can't get radeapclient to work, and obviously my wireless client. I think it comes from this: TLS Alert read:fatal:unknown CA but I don't think I need real certs to get it working. No. It means that the certificate being sent by the client isn't known to the server. The HOWTO on deployingradius.com creates a configuration which does *not* have this problem. By the way, I'm wondering why there are several cycles for one authentication (ie Finished request x. Going to the next request...). Because more packets are being received. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
Alan DeKok wrote: Jonathan Amiez wrote: Therefore, I have again trouble in setting up this configuration. The problem is EAP/PEAP related, and I am not able to resolve it. Post the debug log into: http://networkradius.com/freeradius.html And look for the red text. Hmm should stop matching in AVP output, it's mostly user generated content so it'll give false positives. I guess users should be clever enough to spot 'User-Name = 'error_mc_erin...@errorland.com'' ;) -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
Le jeudi 28 janvier 2010 18:18:01, Alan DeKok a écrit : Jonathan Amiez wrote: Therefore, I have again trouble in setting up this configuration. The problem is EAP/PEAP related, and I am not able to resolve it. Post the debug log into: http://networkradius.com/freeradius.html And look for the red text. Thanks for this tool. It gives me this red line in several packets. rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca In debian, certs are linked from the snakeoil openSSL certs. So I removed the links, got the FR sources and copy the raddb/certs contents into /etc/freeradius/certs. Then I ran make to generate new certs, but the problem's still there. Regards -- *** Jonathan Amiez Administrateur système j...@edatis.com *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
-Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jonathan Amiez Sent: Thursday, January 28, 2010 11:46 AM To: FreeRadius users mailing list Subject: Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth Le jeudi 28 janvier 2010 18:18:01, Alan DeKok a écrit : Jonathan Amiez wrote: Therefore, I have again trouble in setting up this configuration. The problem is EAP/PEAP related, and I am not able to resolve it. Post the debug log into: http://networkradius.com/freeradius.html And look for the red text. Thanks for this tool. It gives me this red line in several packets. rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca In debian, certs are linked from the snakeoil openSSL certs. So I removed the links, got the FR sources and copy the raddb/certs contents into /etc/freeradius/certs. Then I ran make to generate new certs, but the problem's still there. Did you install the new cert on the client? Regards -- *** Jonathan Amiez Administrateur système j...@edatis.com *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
Jonathan Amiez wrote: In debian, certs are linked from the snakeoil openSSL certs. So I removed the links, got the FR sources and copy the raddb/certs contents into /etc/freeradius/certs. Then I ran make to generate new certs, but the problem's still there. You helpfully deleted the one comment that applies here: No. It means that the certificate being sent by the client isn't known to the server. So... did you put the new CA on the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
On Thu, Jan 28, 2010 at 06:46:12PM +0100, Jonathan Amiez wrote: In debian, certs are linked from the snakeoil openSSL certs. So I removed the links, got the FR sources and copy the raddb/certs contents into /etc/freeradius/certs. Then I ran make to generate new certs, but the problem's still there. For future reference, raddb/certs files are actually there in the package at /usr/share/doc/freeradius/examples/certs/ -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
Jonathan Amiez wrote: As the title says, I'm trying to set up FreeRadius to authenticate wireless clients (employees). I just finished deploying a Samba/Ldap domain, and I'd like to take advantage of this user db. I already followed several howtos, more or less outdated. Why not just install 2.1.8? I'm not familiar with the bunch of protocols coming with radius and 802.1x (PEAP, CHAP, etc.), and I can't find the issue. Read the debug output, and look for peap. It is *telling* you why it isn't working. See also my web site for instructions on getting EAP to work: http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html