Author Topic: Radius server Error: TLS_accept failed in SSLv3 read client certificate A  (Read 24549 times)

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
Drummel,

Is it a fix for "station" authentication? Please, elaborate what does it do?

tuxmania

  • Zen Apprentice
  • *
  • Posts: 45
  • Karma: +1/-0
    • View Profile
Drummel,

Is it a fix for "station" authentication? Please, elaborate what does it do?

You get workstation auth but it wont check the user from what i can see.
« Last Edit: July 19, 2010, 07:57:26 am by tuxmania »

Drummel

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Drummel,

Is it a fix for "station" authentication? Please, elaborate what does it do?
Im on vaccation now but will be glad to help u out later. Just check the code NT hack.
In 1.5 ver. they hav fix the certificate thing,  but i miss the possibeility to have a pasword when creating the certificate. Plz Fix CODERS  ::)
« Last Edit: July 20, 2010, 09:42:56 pm by Drummel »

Drummel

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Drummel,

Is it a fix for "station" authentication? Please, elaborate what does it do?

You get workstation auth but it wont check the user from what i can see.

Plz run radius in debugg mode and pase the log. thx

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
As I explained before, authentication using user credentials works using PEAP/MSCHAPv2, but not LDAP. Do not change ldap module, it is irrelevant:
Code: [Select]
[ldap] performing user authorization for MYDOMAIN\john
        expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=john)
        expand: dc=mydomain,dc=local -> dc=mydomain,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://127.0.0.1:389/, authentication 0
rlm_ldap: bind as cn=ebox,dc=mydomain,dc=local/XXXXXXX/ to ldap://127.0.0.1:389/
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=local, with filter (uid=john)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0xxx531
rlm_ldap: sambaLmPassword -> LM-Password == 0xxx545
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
but EAP/mschapv2 works just fine:
Code: [Select]
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for olga with NT-Password
        expand: --username=%{mschap:User-Name:-None} -> --username=john
        expand: %{mschap:NT-Domain} -> MYDOMAIN
        expand: --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} -> --domain=MYDOMAIN
[mschap]  mschap2: 5f
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=xxxxxxxxxxxx       
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=xxxxxxxxxxxxxxxxxx
Exec-Program output: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program-Wait: plaintext: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success

But for computer authentication to work you need to strip host/Domain name and add $.
Novell web site http://www.novell.com/coolsolutions/feature/17044.html#7 suggests to use attr_rewrite, i.e:
Code: [Select]
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = "^(host/.*)"
searchin = packet
new_attribute = no
replacewith = "%{1}$"
}
So if you know regex well, try to play with /etc/freeradius/modules/mschap and attr_rewrite to convert host/MYCOMPUTER.MYDOMAIN to MYCOMPUTER$.
If you made it work, please, post the configuration.