Re: [RADIATOR] Server 2008 R2 x64 - radsec certificate verify failed
On 12/14/2011 05:21 PM, Röver, Christian wrote: > The posted logfile is the full trace 4 logging and the config I posted > before is he complete config (I only cut the descriptions and the lines that > were commented out). Ok. > The certificates are all valid and have been verified by the toplevel-ca. > Maybe it is useful to know, that we have our own CA. > Our CA is the lowest in a row of three CA's. The CA-files are all stored in > the CAPath-folder together with our own CA's chain file. You could try TLS_CAFile instead of TLS_CAPath. Please see below for more. > The error message tells about problems with the verification of a > certificate. Is there any need to use the CA-files directly instead of the > CAPath? If you use CAPath, the certificate files are accessed by CA subject name hash. In most cases this means there's a symbolic link like this: lrwxrwxrwx 1 root root 20 2011-10-13 16:42 ddc328ff.0 -> Thawte_Server_CA.pem See this for how to use command c_rehash to create the links: http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html Instead of using TLS_CAPath you can put all CA certifcates in one file and point TLS_CAFile to that file. That might be easier to maintain the symbolic links for all required certificates. > Another question is: we use eaptls for the communication with our ldap > server (this works!), but we have to use TLS for radsec with the toplevel > server. Might there be a problem? Sorry, I did not quite understand this. You can use SSL or TLS for LDAP connections from Radiator without worries with RadSec. I also just noticed you use AuthBy RADIUS too. Are you proxying PEAP and TTLS inner authentication via RADIUS? Thanks! -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP-PEAP Windows XP Wired Ethernet
On 12/15/2011 06:18 AM, Indrajaya Pitra Perdana wrote: > The problem still persist even i created my own certificate using the > steps in mkcertificate.sh goodies , my windows didn't respon to the eap > challenge sent by Radiator, do u have any clue on this? or perhaps the > problem is within my 2950 catalyst ? thanks :-) You could try enabling debug for EAP authentication on the switch to see how it reacts to EAP messages. Meanwhile you could also try running wireshark on Windows to see if the challenge with the certificate is sent by the switch to the XP box. One thing you could try first is to use even lower value for EAPTLS_MaxFragmentSize The messages before certifcate are much smaller and so this challenge would be the first that can reach the maximum size. Thanks! -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] R: R: EAP-Peap-ntlm stops
Thanks Heikki, I proxied the inner auth to another radiator with a smb 3.4.7 (Ubuntu lucid) and all work fine ... all except an annoying and uncompressible message related to the certificate on windows :-\ but this is another story :-) Cheers -- Fabio Prina System Specialist Easynet T +39 02 30301 500 W www.easynet.com > -Messaggio originale- > Da: Heikki Vatiainen [mailto:h...@open.com.au] > Inviato: martedì 13 dicembre 2011 16:06 > A: Fabio Prina > Cc: Radiator ML (radiator@open.com.au) > Oggetto: Re: R: [RADIATOR] EAP-Peap-ntlm stops > > On 12/12/2011 07:49 PM, Fabio Prina wrote: > > > I've read the 2 link, and I suppose that this is the problem; my > > current samba version is an 3.2.5 the ntlm auth do not work only in > > this case > > If you are using RedHat or Centos, you may want to consider samba3x RPM. > I have not used it myself, but apparently ntlm_auth should work with that > version. > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. Questa e-mail e gli allegati possono essere confidenziali, riservati e / o protetti ai sensi di legge. Se avete ricevuto questa e-mail per errore, non essendone destinatari, siete pregati di informare il mittente con l'invio di una risposta e-mail all'indirizzo di cui sopra e quindi eliminare il messaggio e la vostra risposta dal sistema. Se non siete destinatari della presente email siete obbligati a non utilizzare, divulgare, distribuire, copiare, stampare o fare conto sul contenuto di questa e-mail. Eventuali pareri o opinioni contenute nella presente email sono esclusivamente riferibili all'autore. Eventuali dichiarazioni rilasciate e/o intenzioni espresse nella presente comunicazione non riflettono necessariamente la posizione di Easynet. In nessun modo il contenuto della presente email potrà creare obbligazioni per Easynet o per le società del gruppo Easynet se non confermate da un contratto formale sottoscritto da Easynet. Qualsiasi cifra o importo indicati nella presente e-mail deve essere considerata una mera citazione ed è soggetto a variazioni. Easynet pone in essere controlli approfonditi allo scopo di eliminare qualsiasi minaccia tipo virus o simili; nondimeno i destinatari devono a loro volta scansionare questa e-mail e gli eventuali allegati allo scopo di rilevare minacce tipo virus o simili. Easynet non rilascia alcuna garanzia circa l'assenza di virus in questa e-mail o negli allegati. Nel rispetto delle norme vigenti per garantire la protezione dei nostri clienti e dei nostri Partner potremo monitorare e controllare le e-mail inviate da e verso i nostri server. Easynet Italia S.p.A. Viale Fulvio Testi, 7 Milano, I-20159, Italy www.easynet.com Registro Imprese Milano Cod. Fisc e P. IVA 13028980152 REA 1607597 Capitale Sociale 800.000 € i.v. Socio unico EGHL (UK) Limited ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Application like radclient
Hello Radiator has some application like (radclient) of freeradius ? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP-PEAP Windows XP Wired Ethernet
Thanks, i give it a try, i already enable tls trace in my win xp, and i don't see there's an exchange certificate :-) [1448] 11:49:36:218: PeapReadConnectionData [1448] 11:49:36:218: PeapReadUserData [1448] 11:49:36:218: RasEapGetInfo [2884] 11:49:52:515: EapPeapBegin [2884] 11:49:52:515: PeapReadConnectionData [2884] 11:49:52:515: PeapReadUserData [2884] 11:49:52:515: [2884] 11:49:52:515: EapTlsBegin(test) [2884] 11:49:52:515: State change to Initial [2884] 11:49:52:515: EapTlsBegin: Detected 8021X authentication [2884] 11:49:52:515: EapTlsBegin: Detected PEAP authentication [2884] 11:49:52:515: MaxTLSMessageLength is now 16384 [2884] 11:49:52:515: EapPeapBegin done [2884] 11:49:52:515: EapPeapMakeMessage [2884] 11:49:52:515: EapPeapCMakeMessage [2884] 11:49:52:515: PEAP:PEAP_STATE_INITIAL [2884] 11:49:52:515: EapTlsCMakeMessage [2884] 11:49:52:515: EapTlsReset [2884] 11:49:52:515: State change to Initial [2884] 11:49:52:515: GetCredentials [2884] 11:49:52:515: Flag is Client and Store is Current User [2884] 11:49:52:515: GetCachedCredentials [2884] 11:49:52:515: FreeCachedCredentials [2884] 11:49:52:515: No Cert Store. Guest Access requested [2884] 11:49:52:515: No Cert Name. Guest access requested [2884] 11:49:52:515: Will validate server cert [2884] 11:49:52:515: MakeReplyMessage [2884] 11:49:52:515: SecurityContextFunction [2884] 11:49:52:515: InitializeSecurityContext returned 0x90312 [2884] 11:49:52:515: State change to SentHello [2884] 11:49:52:515: BuildPacket [2884] 11:49:52:515: << Sending Response (Code: 2) packet: Id: 2, Length: 80, Type: 13, TLS blob length: 70. Flags: L [2884] 11:49:52:515: EapPeapCMakeMessage done [2884] 11:49:52:515: EapPeapMakeMessage done [1352] 11:50:22:531: EapPeapEnd [1352] 11:50:22:531: EapTlsEnd [1352] 11:50:22:531: EapTlsEnd(test) [1352] 11:50:22:531: EapPeapEnd done [1352] 11:50:22:562: EapPeapBegin [1352] 11:50:22:562: PeapReadConnectionData [1352] 11:50:22:562: PeapReadUserData [1352] 11:50:22:562: [1352] 11:50:22:562: EapTlsBegin(test) [1352] 11:50:22:562: State change to Initial [1352] 11:50:22:562: EapTlsBegin: Detected 8021X authentication [1352] 11:50:22:562: EapTlsBegin: Detected PEAP authentication [1352] 11:50:22:562: MaxTLSMessageLength is now 16384 [1352] 11:50:22:562: EapPeapBegin done [1352] 11:50:22:562: EapPeapMakeMessage [1352] 11:50:22:562: EapPeapCMakeMessage [1352] 11:50:22:562: PEAP:PEAP_STATE_INITIAL [1352] 11:50:22:562: EapTlsCMakeMessage [1352] 11:50:22:562: EapTlsReset [1352] 11:50:22:562: State change to Initial [1352] 11:50:22:562: GetCredentials [1352] 11:50:22:562: Flag is Client and Store is Current User [1352] 11:50:22:562: GetCachedCredentials [1352] 11:50:22:562: FreeCachedCredentials [1352] 11:50:22:562: No Cert Store. Guest Access requested [1352] 11:50:22:562: No Cert Name. Guest access requested [1352] 11:50:22:562: Will validate server cert [1352] 11:50:22:562: MakeReplyMessage [1352] 11:50:22:562: SecurityContextFunction [1352] 11:50:22:562: InitializeSecurityContext returned 0x90312 [1352] 11:50:22:562: State change to SentHello [1352] 11:50:22:562: BuildPacket [1352] 11:50:22:562: << Sending Response (Code: 2) packet: Id: 37, Length: 80, Type: 13, TLS blob length: 70. Flags: L [1352] 11:50:22:562: EapPeapCMakeMessage done [1352] 11:50:22:562: EapPeapMakeMessage done [1448] 11:50:52:578: EapPeapEnd [1448] 11:50:52:578: EapTlsEnd [1448] 11:50:52:578: EapTlsEnd(test) [1448] 11:50:52:578: EapPeapEnd done [1448] 11:51:52:593: PeapReadConnectionData [1448] 11:51:52:593: PeapReadUserData [1448] 11:51:52:593: RasEapGetInfo [1352] 12:02:42:625: PeapReadConnectionData [1352] 12:02:42:640: PeapReadUserData [1352] 12:02:42:640: RasEapGetInfo [1352] 12:02:42:640: PeapReDoUserData [1352] 12:02:42:640: EapTlsInvokeIdentityUI [1352] 12:02:42:640: GetCertInfo [1352] 12:03:42:640: PeapReadConnectionData [1352] 12:03:42:640: PeapReadUserData [1352] 12:03:42:640: RasEapGetInfo [1352] 12:03:42:671: EapPeapBegin [1352] 12:03:42:671: PeapReadConnectionData [1352] 12:03:42:671: PeapReadUserData [1352] 12:03:42:671: [1352] 12:03:42:671: EapTlsBegin(GHOST\indrajaya) [1352] 12:03:42:671: State change to Initial [1352] 12:03:42:671: EapTlsBegin: Detected 8021X authentication [1352] 12:03:42:671: EapTlsBegin: Detected PEAP authentication [1352] 12:03:42:671: MaxTLSMessageLength is now 16384 [1352] 12:03:42:671: EapPeapBegin done [1352] 12:03:42:671: EapPeapMakeMessage [1352] 12:03:42:671: EapPeapCMakeMessage [1352] 12:03:42:671: PEAP:PEAP_STATE_INITIAL [1352] 12:03:42:671: EapTlsCMakeMessage [1352] 12:03:42:671: EapTlsReset [1352] 12:03:42:671: State change to Initial [1352] 12:03:42:671: GetCredentials [1352] 12:03:42:671: Flag is Client and Store is Current User [1352] 12:03:42:671: GetCachedCredentials [1352] 12:03:42:671: FreeCachedCredentials [1352] 12:03:42:671: No Cert Store. Guest Access requested [1352] 12:03:42:671: No Cert Name. Guest access requested [1352] 12:03:42:671: Will validate server cert [1352] 12:03:42:671: MakeRep
Re: [RADIATOR] Application like radclient
Hello Sergio -
Yes - its called "radpwtst".
You will find it in the main Radiator distribution directory.
See also section 8 in the Radiator 4.9 reference manual ("doc/ref/pdf").
Here is the "help":
TiTi:Radiator-4.9 hugh$ perl radpwtst -h
usage: radpwtst [-h] [-time] [-iterations n]
[-trace [level]] [-s server] [-secret secret] [-retries n]
[-noauth] [-noacct][-nostart] [-nostop] [-alive] [-status]
[-chap] [-mschap] [-mschapv2] [-eapmd5] [-eapotp] [-eapgtc] [-sip]
[-leap]
[-motp_secret ] [-eaphex x]
[-accton] [-acctoff] [-framed_ip_address address]
[-auth_port port] [-acct_port port] [-identifier n]
[-user username] [-password password]
[-nas_ip_address address] [-nas_identifier string]
[-nas_port port] [-nas_port_type type] [-service_type service]
[-calling_station_id string] [-called_station_id string]
[-session_id string] [-interactive]
[-delay_time n] [-session_time n] [-input_octets n]
[-output_octets n] [-timeout n] [-dictionary file,file]
[-gui] [-class string] [-useoldascendpasswords]
[-code requestcode] [-raw data] [-rawfile filename]
[-rawfileseq filename]
[-outport port] [-bind_address dotted-ip-address]
[-options optionfile]
[attribute=value]...
regards
Hugh
On 16 Dec 2011, at 12:35, sergio wrote:
> Hello
>
> Radiator has some application like (radclient) of freeradius ?
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
