Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Freeradius EAP-TLS XP-Client
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
PostPosted: Tue Oct 07, 2008 9:55 am    Post subject: Freeradius EAP-TLS XP-Client Reply with quote
I have installed a FreeRadius-server, to authenticate all the clients on our WiFi network. Everything seems to work fine, execpt that the authentication of an XP-client will fail. When I disable the option to verify the server, it works fine. But this is not What I want.

For some reason, the clients seems to dislike the servers authentication. When I Google on this, all answers are that I need the XP-extension in my certificates, in order to make it work.
Code:

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1


I am 100% positive that I have this in my certificates. The clients certificate is labeled as a client and the server as a server. Still it doesn't work. Does someone has an idea why?

This is what the Radius-server says.
Code:

Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.88 port 3072, id=0, length=196
Cleaning up request 18 ID 0 with timestamp +350
   User-Name = "Laptop Test"
   NAS-IP-Address = 192.168.1.88
   Called-Station-Id = "001ee5a4a693"
   Calling-Station-Id = "0012f0157341"
   NAS-Identifier = "001ee5a4a693"
   NAS-Port = 39
   Framed-MTU = 1400
   State = 0x1f67a4231c63a90625cbd4ac3bd6d0fe
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 0x0204003b0d0063bad74eaab2b55766d21403010001011603010020b8d1108da8702993b80b5e94ab53e06276c6c4b8ad36209f461ca70bb8e427bd
   Message-Authenticator = 0x51504f5c007c9df1f1030969aea8e5ef
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "Laptop Test", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 4 length 59
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry Laptop Test at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 03c1], Certificate 
chain-depth=1,
error=0
--> User-Name = Laptop Test
--> BUF-Name = gbugrafici
--> subject = /C=NL/ST=Flevoland/L=Urk/O=GBU/OU=Systeembeheer/CN=gbugrafici/emailAddress=rootca@gbugrafici.nl
--> issuer  = /C=NL/ST=Flevoland/L=Urk/O=GBU/OU=Systeembeheer/CN=gbugrafici/emailAddress=rootca@gbugrafici.nl
--> verify return:1
chain-depth=0,
error=0
--> User-Name = Laptop Test
--> BUF-Name = Laptop Test
--> subject = /C=NL/ST=Flevoland/L=Urk/O=GBU/OU=Systeembeheer/CN=Laptop Test/emailAddress=rootca@gbugrafici.nl
--> issuer  = /C=NL/ST=Flevoland/L=Urk/O=GBU/OU=Systeembeheer/CN=gbugrafici/emailAddress=rootca@gbugrafici.nl
--> verify return:1
    TLS_accept: SSLv3 read client certificate A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange 
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify 
    TLS_accept: SSLv3 read certificate verify A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] 
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished 
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] 
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished 
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.88 port 3072
   EAP-Message = 0x010500350d800000002b140301000101160301002009c93f85011b11c11906166cecd8f0f17161af7bfaf73bde391329020f65133c
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x1f67a4231b62a90625cbd4ac3bd6d0fe
Finished request 19.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 19 ID 0 with timestamp +350
Ready to process requests.

_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all.
Back to top
View user's profile Send private message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
PostPosted: Wed Oct 08, 2008 8:34 pm    Post subject: Reply with quote
*kick*

Noone? :cry:
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy