FreeRadius und Win7-Anmeldung über AP schlägt fehl

[rok]

Hallo!

Ich teste gerade FreeRadius. Soweit läuft das Ding auch. Leider kann ich mich mit einer Win7 Büchse über den AccessPoint nicht anmelden. Der meckert immer, dass das Zertifikat ungültig ist:

...
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
...

Ist denn die Anmeldung auch ohne Serverzertifikat-Import-Dingsbums möglich? Wenn ja, wie?

[6uellerBelästigungspanda]

Ist denn die Anmeldung auch ohne Serverzertifikat-Import-Dingsbums möglich? Wenn ja, wie?

ja ist möglich.
zeig mal deine configs.

[rok]

Einfach alle? Oder was bestimmtes?

[6uellerBelästigungspanda]

Einfach alle? Oder was bestimmtes?

Code: Alles auswählen

radiusd.conf
clients.conf
eap.conf

[rok]

Klar, kein Problem. Habe vorher die Kommentarzeilen entfernt.
clients.conf:

Code: Alles auswählen

client localhost {
	ipaddr = 127.0.0.1
	secret		= 123456
	require_message_authenticator = no
	nastype     = other	
}
client 10.0.0.0/24 {
    secret	= 123456
    shortname	= private-network-1
}

eap.conf:

Code: Alles auswählen

	eap {
		default_eap_type = md5
		timer_expire     = 60
		ignore_unknown_eap_types = no
		cisco_accounting_username_bug = no
		max_sessions = 4096

		md5 {
		}

		leap {
		}

		gtc {
			auth_type = PAP
		}

		tls {
			certdir = ${confdir}/certs
			cadir = ${confdir}/certs
			private_key_password = 123456
			private_key_file = ${certdir}/server.key
			certificate_file = ${certdir}/server.pem
			CA_file = ${cadir}/ca.pem
			dh_file = ${certdir}/dh
			random_file = ${certdir}/random
			cipher_list = "DEFAULT"
			make_cert_command = "${certdir}/bootstrap"

			cache {
			      enable = no
			      max_entries = 255
			}
		}

		ttls {
			default_eap_type = md5
			copy_request_to_tunnel = no
			use_tunneled_reply = no
			virtual_server = "inner-tunnel"
		}

		peap {
			default_eap_type = mschapv2
			copy_request_to_tunnel = no
			use_tunneled_reply = no
			virtual_server = "inner-tunnel"
		}

		mschapv2 {
		}
	}

radiusd.conf:

Code: Alles auswählen

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
db_dir = $(raddbdir)
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024

listen {
	type = auth
	ipaddr = *
	port = 0
}

listen {
	ipaddr = *
	port = 0
	type = acct
}

hostname_lookups = no
allow_core_dumps = no
regular_expressions	= yes
extended_expressions	= yes

log {
	destination = files
	file = ${logdir}/radius.log
	syslog_facility = daemon
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
}

checkrad = ${sbindir}/checkrad

security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
}

proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
snmp	= no
$INCLUDE snmp.conf

thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
}

modules {
	pap {
		auto_header = no
	}

	chap {
		authtype = CHAP
	}

	pam {
		pam_auth = radiusd
	}

	unix {

		radwtmp = ${logdir}/radwtmp
	}

$INCLUDE eap.conf

	mschap {
	}

	ldap {
		server = "ldap.your.domain"
		basedn = "o=My Org,c=UA"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		ldap_connections_number = 5
		timeout = 4
		timelimit = 3
		net_timeout = 1

		tls {
			start_tls = no
		}

		dictionary_mapping = ${confdir}/ldap.attrmap
		edir_account_policy_check = no
	}

	realm IPASS {
		format = prefix
		delimiter = "/"
	}

	realm suffix {
		format = suffix
		delimiter = "@"
	}

	realm realmpercent {
		format = suffix
		delimiter = "%"
	}

	realm ntdomain {
		format = prefix
		delimiter = "\\"
	}	

	checkval {
		item-name = Calling-Station-Id
		check-name = Calling-Station-Id
		data-type = string
	}

	preprocess {
		huntgroups = ${confdir}/huntgroups
		hints = ${confdir}/hints
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = no
	}

	files {
		usersfile = ${confdir}/users
		acctusersfile = ${confdir}/acct_users
		preproxy_usersfile = ${confdir}/preproxy_users
		compat = no
	}

	detail {
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
		header = "%t"
	}

	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	}

	$INCLUDE sql.conf

	radutmp {
		filename = ${logdir}/radutmp
		username = %{User-Name}
		case_sensitive = yes
		check_with_nas = yes		
		perm = 0600
		callerid = "yes"
	}

	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}

	attr_filter attr_filter.post-proxy {
		attrsfile = ${confdir}/attrs
	}

	attr_filter attr_filter.pre-proxy {
		attrsfile = ${confdir}/attrs.pre-proxy
	}

	attr_filter attr_filter.access_reject {
		key = %{User-Name}
		attrsfile = ${confdir}/attrs.access_reject
	}

	attr_filter attr_filter.accounting_response {
		key = %{User-Name}
		attrsfile = ${confdir}/attrs.accounting_response
	}

	counter daily {
		filename = ${db_dir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		reply-name = Session-Timeout
		allowed-servicetype = Framed-User
		cache-size = 5000
	}

	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always noop {
		rcode = noop
	}
	always handled {
		rcode = handled
	}
	always updated {
		rcode = updated
	}
	always notfound {
		rcode = notfound
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}

	expr {
	}

	digest {
	}

	expiration {
		reply-message = "Password Has Expired\r\n" 
	}

	logintime {
		reply-message = "You are calling outside your allowed timespan\r\n"

		minimum-timeout = 60
	}
	exec {
		wait = yes
		input_pairs = request
		shell_escape = yes
		output = none
	}

	exec echo {
		wait = yes
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
		shell_escape = yes
	}


	ippool main_pool {
		range-start = 192.168.1.1
		range-stop = 192.168.3.254
		netmask = 255.255.255.0
		cache-size = 800
		session-db = ${db_dir}/db.ippool
		ip-index = ${db_dir}/db.ipindex
		override = no
		maximum-timeout = 0
	}

	policy {
	       filename = ${confdir}/policy.txt
	}
}

instantiate {
	exec
	expr
	expiration
	logintime
}

$INCLUDE policy.conf
$INCLUDE sites-enabled/

Der Accesspoint hat die 10.0.0.5, der DHCP-Range geht von 10.0.0.50 bis *.150. Darunter sind noch ein paar Maschinen mit festen IPs.

[6uellerBelästigungspanda]

du hast

default_eap_type = md5

du willst doch peap benutzen oder ?
deaktiviere alle module die du nicht brauchst..du hast ja alles aktiviert

[rok]

Denke schon.
Ich hatte es auch zwischenzeitlich mit nem iPod touch probiert, weil damit sollte das ziemlich einfach gehen (ich glaub der hat keine Probleme mit irgendwelchen Zertifikaten), aber auch der hat verweigert...

[rok]

deaktiviere alle module die du nicht brauchst..du hast ja alles aktiviert

Ich glaub das war die Standardeinstellung, die mittels apt-get install... installiert wurde. Wie müsste denn (zum testen) die eap.conf aussehen?