urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?

Jamie Crawford
Hello,
Trying to setup freeradius to use peap authentication using xp clients and using enterasys 3000 access points.  Everything seems to work great until the certificate negotiation, then it blows chunks.  I've followed the how to's on tlpd.org and "securing wlan's with wpa and freeradius" from the linux journal articles. Attached is the output of radiusd -X -A.  Any help is appreciated!!!!
Thanks


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusout.log (51K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?

Zoltan Ori
On Tuesday 16 August 2005 10:28, Jamie Crawford wrote:
>  Everything seems to work great until
> the certificate negotiation, then it blows chunks.
>

Bad or wrong certificates. Server and supplicant need a copy of the same
trusted root certificate.

Zoltan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: urgent help needed!! freeradius peap enterasys ap 3000 xp certificate failure?

Jamie Crawford
In reply to this post by Jamie Crawford
Thanks for your response.  I downloaded my cacert.pem and imported it into my xp client as a trusted root authority and that did not help.  Here are the steps I took to create my certs.  Remember I am trying to use "PEAP". Thanks!!!!

Here's what I did to create the certs.
rhel as 4.0
freeradius 1.0.4
On my freeradius server I went to:
/usr/share/ssl/openssl.cnf
changed "dir     = ./productionCA"
changed "countryName_default = US"
changed "stateOrProviceName_default = Missouri"
changed "localityName_default = Warrensburg"
changed "0.organizationName_default = CMSU"
changed "organizationalUnitName_default = Information Services"
changed "commonName_default = Wireless"
changed "emailAddress_default = [hidden email]"
changed "challengePassword_default = password"

I saved the file.
Then I went into /usr/share/ssl/misc/CA and changed
"CATOP=./productionCA"
Then I went back into the usr/share/ssl directory and ran
/usr/share/ssl/misc/CA -newca
Entered my passphrase "password"
Verified "password"

Hit the default of "US" for Country name
Hit the default of "MIssouri" for state name
Hit the default of "Warrensburg" for state name
Hit the default of "CMSU" for organization name
Hit the defaut of "Information Services" for organizational unit name
Hit the default of "WIRELESS" for the common name
Hit the default of "[hidden email]" for the email address

Now I have my new root certificate (cacert.pem) and private key (cakey.pem).
In my /usr/share/ssl/productionCA directory I have"
-rw-r--r--  1 root root 1346 Aug 16 14:54 cacert.pem
drwxr-xr-x  2 root root 4096 Aug 16 14:52 certs
drwxr-xr-x  2 root root 4096 Aug 16 14:52 crl
-rw-r--r--  1 root root    0 Aug 16 14:52 index.txt
drwxr-xr-x  2 root root 4096 Aug 16 14:52 newcerts
drwxr-xr-x  2 root root 4096 Aug 16 14:52 private
-rw-r--r--  1 root root    3 Aug 16 14:52 serial
In the "private" directory I have:
-rw-r--r--  1 root root 963 Aug 16 14:54 cakey.pem

Now I create my server certificate, but first I must create the "xpextensions" file because WindowsXP expects certain attributes in server and client certificates.

Contents of "xpextensions"
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Now I run:
openssl req -new -keyout server_key.pem -out server_req.pem -days 730 -config openssl.cnf

This asks for the PEM pass phrase:
So I enter "password"
I verify "password"

Hit the default of "US" for Country name
Hit the default of "MIssouri" for state name
Hit the default of "Warrensburg" for state name
Hit the default of "CMSU" for organization name
Hit the defaut of "Information Services" for organizational unit name
Enter in "server.cmsu.edu" for the common name
Hit the default of "[hidden email]" for the email address
It asks for a "challenge password" so I type in "password"
It asks for a "optional company name" and I hit enter for nothing.

This creates the files "server_req.pem" which contains the actual request-an unsigned certificate and "server_key.pem" the private key.

Now I will use the ca key to sign the request.

openssl ca -config openssl.cnf -policy_anything -out server_cert.pem -extensions xpserver_ext -extfile xpextensions -infiles server_req.pem

This asks for the pass phrase for "/productionCA/private/cakey.pem"
I type in "password"

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 16 20:09:23 2005 GMT
            Not After : Aug 16 20:09:23 2006 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Missouri
            localityName              = Warrensburg
            organizationName          = CMSU
            organizationalUnitName    = Information Services
            commonName                = server.cmsu.edu
            emailAddress              = [hidden email]
        X509v3 extensions:
            X509v3 Extended Key Usage:
            TLS Web Server Authentication
Certificate is to be certified until Aug 16 20:09:23 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

This command reads the file server_req.pem and after prompting for my CA key's passphrase, saves a signed version of it plus its corresponding private key to the file server_cert.pem.

Now I opend up my signed certificate "server_cert.pem" and delete everything before the line --------BEGIN CERTIFICATE--------

Now I concatenate it and my key into a single file by typing:
cat server_key.pem server_cert.pem  > server_keycert.pem

Next I copy the server_keycert.pem file and cacert.pem file over to my certs directory.

Whie in this directory I run these two commands to create the "dh" file and "random" file.

openssl dhparam -check -text -5 512 -out dh
dd if=/dev/urandom of=random count=2

my eap.conf file

tls {
                        private_key_password = password
                        private_key_file = ${raddbdir}/certs/server_keycert.pem
                        certificate_file = ${raddbdir}/certs/server_keycert.pem
                        #  Trusted Root CA list
                        CA_file = ${raddbdir}/certs/cacert.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random


>>> Zoltan Ori <[hidden email]> 08/16/05 1:25 PM >>>
On Tuesday 16 August 2005 10:28, Jamie Crawford wrote:
>  Everything seems to work great until
> the certificate negotiation, then it blows chunks.
>

Bad or wrong certificates. Server and supplicant need a copy of the same
trusted root certificate.

Zoltan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html