RADIUS - RadSecProxy: ignoring request, no matching TLS client

Martin Vancl tux.martin na gmail.com
Pondělí Listopad 19 00:47:43 CET 2012


Dobry den,
potrebuji zabezpecit RADIUS komunikaci mezi FreeRADIUS (ubuntu)
serverem a OpenWrt AP. Vychazel jsem z techto navodu:
http://www.eduroam.cz/doku.php?id=cs:spravce:pripojovani:radsec:radsecproxy
http://codeghar.wordpress.com/2008/03/17/create-a-certificate-authority-and-certificates-with-openssl/

Na serveru je nasledujici konfigurace:

root na server:/# cat /etc/radsecproxy.conf
ListenUDP		localhost:11812
ListenTLS		*:2084
LogLevel		3
LogDestination		x-syslog:///
LoopPrevention		on
tls server {
    CACertificateFile	/etc/radsecproxy/ca/certs/cacert.pem
    CACertificatePath	/etc/radsecproxy/ca/certs/
    CertificateFile	        /etc/radsecproxy/ca/certs/server.pem
    CertificateKeyFile	/etc/radsecproxy/ca/private/server.key.pem
}

server localhost {
	port 1812
	type udp
	secret testing123
}
client localhost {
	type udp
	secret testing123
}
client * {
	type tls
	tls server
	certificateNameCheck off
	secret testing123-1
}
realm * {
	server localhost
}

a na klientovi:

root na client:/# cat /etc/radsecproxy.conf
ListenUDP		localhost:1812
LogDestination		x-syslog:///log_daemon
tls client {
    CACertificateFile	/etc/cert/cacert.pem
    CACertificatePath	/etc/cert/
    CertificateFile   	/etc/cert/client..pem
    CertificateKeyFile	/etc/cert/client.key.pem
}
client 127.0.0.1 {
	type	udp
	secret	testing123-1
}
server 192.168.1.1 { # IP serveru
	type	tls
	secret	testing123-1
	port 2084
	tls client
	certificateNameCheck off
}
realm * {
	server 192.168.1.1
}

Zkousel jsem uz asi milion veci, ale stale se mi nedari spojeni. Vzdy
to zustane vyset na chybe "ignoring request, no matching TLS client"
Vypis ze serveru:

root na server:/# radsecproxy -c /etc/radsecproxy.conf -d 3 -f
Nov 17 21:19:36 2012: createlistener: listening for udp on localhost:11812
Nov 17 21:19:36 2012: createlistener: listening for tls on *:2084
Nov 17 21:19:43 2012: tlsservernew: incoming TLS connection from 192.168.1.68
Nov 17 21:19:43 2012: tlsservernew: ignoring request, no matching TLS client
Nov 17 21:19:45 2012: tlsservernew: incoming TLS connection from 192.168.1.68
Nov 17 21:19:45 2012: tlsservernew: ignoring request, no matching TLS client
Nov 17 21:19:47 2012: tlsservernew: incoming TLS connection from 192.168.1.68
Nov 17 21:19:47 2012: tlsservernew: ignoring request, no matching TLS client
^C
root na server:/#

a z klienta:

root na client:/# radsecproxy -c /etc/radsecproxy.conf -d 3 -f
Nov 17 21:19:43 2012: createlistener: listening for udp on localhost:1812
Nov 17 21:19:43 2012: connecttcphostlist: trying to open TCP
connection to 192.168.1.1 port 2084
Nov 17 21:19:43 2012: connecttcphostlist: TCP connection to
192.168.1.1 port 2084 up
Nov 17 21:19:45 2012: connecttcphostlist: trying to open TCP
connection to 192.168.1.1 port 2084
Nov 17 21:19:45 2012: connecttcphostlist: TCP connection to
192.168.1.1 port 2084 up
Nov 17 21:19:47 2012: connecttcphostlist: trying to open TCP
connection to 192.168.1.1 port 2084
Nov 17 21:19:47 2012: connecttcphostlist: TCP connection to
192.168.1.1 port 2084 up
^C
root na client:/#

Netusite nekdo, co delam spatne s certifikaty?

Dekuji za pomoc.


-- 
S pozdravem
Martin Vancl

e-mail:  tux.martin na gmail.com
jabber:  tux.martin na gmail.com
www:    http://martin.vancl.eu/
twitter:  http://twitter.com/tuxmartin


Další informace o konferenci Linux