freeradius+peap+mschapv2

Petr Safrata safrata na snit.cz
Pondělí Srpen 25 11:27:14 CEST 2008 

Rozjizdim to na SP3
certifikat ca autority a serveru sem generoval pomoci easy_rsa z openvpn
v openssl.conf je nastaveno

[ server ]

# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType                     = server
nsComment                       = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment


pokud se nemylim tak volba extendedKeyUsage=serverAuth pridava hodnotu 
Ověření serveru (1.3.6.1.5.5.7.3.1), kterou pak vidim v certifikatu serveru


takze tam bota asi nebude

----- Original Message ----- 
From: "Petr Magnusek" <petr.magnusek na gtsnovera.cz>
To: "Diskuse o Linuxu v cestine" <linux na linux.cz>
Sent: Friday, August 22, 2008 12:19 PM
Subject: Re: freeradius+peap+mschapv2


> Ahoj,
>
> kdyz jsi generoval ssl certifikaty, pouzil jsi xpextensions? viz. tady:
> http://gentoo-wiki.com/FreeRADIUS
>
> Jen nastrel..:) Mne to pomohlo. Nenapsal jsi, jestli jsi ti to pred tim
> fungovalo a ted jsi nainstalil SP3, nebo to rozjizdis az na tomhle.
>
> P.
>
> -----Original Message-----
> From: Petr Safrata <safrata na dhd.cz>
> Reply-To: Diskuse o Linuxu v cestine <linux na linux.cz>
> To: Diskuse o Linuxu v cestine <linux na linux.cz>
> Subject: freeradius+peap+mschapv2
> Date: Fri, 22 Aug 2008 11:02:29 +0200
>
> Zdravim,
>
> ma nekdo zkusenosti s freeradius+peap+mschapv2 suplicant winxpSP3
> Nefunguje mi overeni peap+mschapv2 a nenapada me kde je bota.
>
> Diky
> PS
>
>
> uzivatele overuji proti souboru users
>
> test User-Password == "test"
>
>
> Vypis z radius serveru
>
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.1.60:516, id=121, 
> length=132
>        User-Name = "test"
>        NAS-IP-Address = 192.168.1.60
>        NAS-Port = 12
>        Called-Station-Id = "00:0C:46:93:A0:D1"
>        Calling-Station-Id = "00:17:31:22:46:79"
>        Framed-MTU = 1400
>        NAS-Port-Type = Ethernet
>        Connect-Info = "100Mbps"
>        EAP-Message = 0x0201000c0173616672617461
>        Message-Authenticator = 0x186748cc06e5b7189f00691586bbf1d2
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: EAP packet type response id 1 length 12
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 0
>    users: Matched entry test at line 228
>    users: Matched entry DEFAULT at line 245
>  modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns updated) for request 0
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
>  rlm_eap: EAP Identity
>  rlm_eap: processing type tls
>  rlm_eap_tls: Initiate
>  rlm_eap_tls: Start returned 1
>  modcall[authenticate]: module "eap" returns handled for request 0
> modcall: leaving group authenticate (returns handled) for request 0
> Sending Access-Challenge of id 121 to 192.168.1.60 port 516
>        EAP-Message = 0x010200061920
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x6c96bad1547c552c74b83d667bfda25a
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.1.60:516, id=122, 
> length=218
>        User-Name = "test"
>        NAS-IP-Address = 192.168.1.60
>        NAS-Port = 12
>        Called-Station-Id = "00:0C:46:93:A0:D1"
>        Calling-Station-Id = "00:17:31:22:46:79"
>        Framed-MTU = 1400
>        NAS-Port-Type = Ethernet
>        Connect-Info = "100Mbps"
>        EAP-Message = 
> 0x0202005019800000004616030100410100003d030148ae7d192f03c307ea1dd9cb413d92e0e5811941a68822d7112ab97c13c0459100001600040005000a000900640062000300060013001200630100
>        State = 0x6c96bad1547c552c74b83d667bfda25a
>        Message-Authenticator = 0x01701e3ca9ea7b51c95b4ebb1e359297
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>  modcall[authorize]: module "preprocess" returns ok for request 1
>  modcall[authorize]: module "mschap" returns noop for request 1
>    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 1
>  rlm_eap: EAP packet type response id 2 length 80
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 1
>    users: Matched entry test at line 228
>    users: Matched entry DEFAULT at line 245
>
> modcall[authorize]: module "files" returns ok for request 1
> modcall: leaving group authorize (returns updated) for request 1
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>  eaptls_verify returned 11
>    (other): before/accept initialization
>    TLS_accept: before/accept initialization
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
>    TLS_accept: SSLv3 read client hello A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
>    TLS_accept: SSLv3 write server hello A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 06a9], Certificate
>    TLS_accept: SSLv3 write certificate A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
>    TLS_accept: SSLv3 write server done A
>    TLS_accept: SSLv3 flush data
>    TLS_accept:error in SSLv3 read client certificate A
> rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
> In SSL Handshake Phase
> In SSL Accept mode
>  eaptls_process returned 13
>  rlm_eap_peap: EAPTLS_HANDLED
>  modcall[authenticate]: module "eap" returns handled for request 1
> modcall: leaving group authenticate (returns handled) for request 1
> Sending Access-Challenge of id 122 to 192.168.1.60 port 516
>        EAP-Message = 
> 0x0103040a19c000000706160301004a02000046030148ae8189922ea9a064bc53dcbd2c22bc62ccf15c79e01fc4d2631b09829ad386205d1787d16da2af538c4789609e734eafdfbb8245c9cf93e4b185f5b19ef4808a00040016030106a90b0006a50006a200038530820381308202eaa003020102020102300d06092a864886f70d01010505003065310b300906035504061302435a310b3009060355040813024341310d300b0603550407130450454c48310d300b060355040a1304534e49543110300e06035504031307534e49542043413119301706092a864886f70d010901160a636140736e69742e637a301e170d3038303832323037303832
>        EAP-Message = 
> 0x325a170d3138303832303037303832325a3071310b300906035504061302435a310b3009060355040813024341310d300b0603550407130450454c48310d300b060355040a1304534e4954311c301a0603550403131373616d62612e736b7570696e612e6c6f63616c3119301706092a864886f70d010901160a636140736e69742e637a30819f300d06092a864886f70d010101050003818d0030818902818100ba207eb3e30789f15df069528753f5911edad79a23265560c5f04ac39128261d9f2e928f33359a9c531fe6b04a8277416fd967d3b83eb4560b1ef4e4fd525a757d6b433907fec270e3aa4b75f18cb60e6ee0bcb0f29a3ef7209df2f5
>        EAP-Message = 
> 0x96bc64d8c8f2a3742c0ce2a2e2e02e8a0370f582465a54c50bf26816ddc328573116e9950203010001a38201333082012f30090603551d1304023000301106096086480186f8420101040403020640303406096086480186f842010d04271625456173792d5253412047656e65726174656420536572766572204365727469666963617465301d0603551d0e04160414572ce22342e92ab1653563cced17c9b18b9416903081970603551d2304818f30818c80149faf56e5813f165cfba561fd27fa89455e4f0977a169a4673065310b300906035504061302435a310b3009060355040813024341310d300b0603550407130450454c48310d300b0603
>        EAP-Message = 
> 0x55040a1304534e49543110300e06035504031307534e49542043413119301706092a864886f70d010901160a636140736e69742e637a820900ef527decc3cb962b30130603551d25040c300a06082b06010505070301300b0603551d0f0404030205a0300d06092a864886f70d0101050500038181009212fe6a2a9345fed497ff4b9f67567a159e83827f318dfb6253461dca2b906c17ae54c718be03f41d13098cfec079254fd7db0a5e9b1de9d41a125436de24107ddd85501ea99f148d78b0ba54d587095f6c0b27013665d56aefb0fceda782c03f5997cd6ca9f12fa96df4c745f223d60a23e64bcfc23f72807dd218e487af9900031730820313
>        EAP-Message = 0x3082027ca003020102020900ef527decc3cb962b300d
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x91559799f2bbc9652f7b8cfa682da6d6
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 121 with timestamp 48ae8189
> Cleaning up request 1 ID 122 with timestamp 48ae8189
> Nothing to do.  Sleeping until we see a request.
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux
>
>
>
>
> S ohledem na zivotni prostredi prosime, zvazte, zdali je nutne tisknout 
> tento e-mail. GTS Novera je drzitelem certifikatu systemu ochrany 
> zivotniho prostredi.
> Please, think of the environment before printing this email. GTS Novera is 
> a holder of the Environment Management System Certificate.
>
>
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux
>

Další informace o konferenci Linux