R: Eap-Tls Problem

Matteo Lazzarini mlazzarini at crema.unimi.it
Wed Aug 23 14:11:57 CEST 2006 

Matteo Lazzarini wrote:

>
> rad_recv: Access-Request packet from host 192.168.1.5:1218, id=97, 
> length=139
> User-Name = "marcello"
> NAS-IP-Address = 192.168.1.5
> NAS-Port = 0
> Called-Station-Id = "00-40-05-30-C5-86"
> Calling-Station-Id = "00-0C-F1-15-17-59"
> NAS-Identifier = "DLink-900AP+"
> Framed-MTU = 1380
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x0201000d016d617263656c6c6f
> Message-Authenticator = 0x198e77929c34dbae3d21887e7c8fedb6
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> radius_xlat: 
> '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822'
> rlm_detail: 
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
> expands to 
> /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822
> modcall[authorize]: module "auth_log" returns ok for request 0
> rlm_eap: EAP packet type response id 1 length 13
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> users: Matched entry DEFAULT at line 152
> users: Matched entry marcello at line 223
> modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns updated) for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 0
> modcall: leaving group authenticate (returns handled) for request 0
> Sending Access-Challenge of id 97 to 192.168.1.5 port 1218
> EAP-Message = 0x010200060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x10ffb90c0007eb49a18f61eabd573132
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.1.5:1218, id=98, 
> length=224
> User-Name = "marcello"
> NAS-IP-Address = 192.168.1.5
> NAS-Port = 0
> Called-Station-Id = "00-40-05-30-C5-86"
> Calling-Station-Id = "00-0C-F1-15-17-59"
> NAS-Identifier = "DLink-900AP+"
> Framed-MTU = 1380
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 
> 0x020200500d800000004616030100410100003d030144eb3ca336a3103a0ffadab80df60c4e27696e763a5ebad813bc963683fff37800001600040005000a000900640062000300060013001200630100 
>
> State = 0x10ffb90c0007eb49a18f61eabd573132
> Message-Authenticator = 0x3a2931277b7c91633740abd039fb5d26
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> modcall[authorize]: module "preprocess" returns ok for request 1
> radius_xlat: 
> '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822'
> rlm_detail: 
> /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
> expands to 
> /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822
> modcall[authorize]: module "auth_log" returns ok for request 1
> rlm_eap: EAP packet type response id 2 length 80
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 1
> users: Matched entry DEFAULT at line 152
> users: Matched entry marcello at line 223
> modcall[authorize]: module "files" returns ok for request 1
> modcall: leaving group authorize (returns updated) for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello 
> TLS_accept: SSLv3 read client hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello 
> TLS_accept: SSLv3 write server hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate 
> TLS_accept: SSLv3 write certificate A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest 
> TLS_accept: SSLv3 write certificate request A
> TLS_accept: SSLv3 flush data
> * TLS_accept:error in SSLv3 read client certificate A
> rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)*
> In SSL Handshake Phase
> In SSL Accept mode eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled for request 1
> modcall: leaving group authenticate (returns handled) for request 1
> Sending Access-Challenge of id 98 to 192.168.1.5 port 1218
> EAP-Message = 
> 0x0103040a0dc000000835160301004a02000046030144eb3d0386a135fa7e544226488211ed9f6d798dd3b1b667ce1057e7c6f83a2120ac760e68727c64d564fa523a839ce6ca02136b0c8d2dcf15257eaa69617fec9200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 
>
> EAP-Message = 
> 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 
>
> EAP-Message = 
> 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be 
>
> EAP-Message = 
> 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 
>
> EAP-Message = 0x300e060355040b1307696d692073726c311630140603
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x582723ed1968a3dbf4d299bf04f83d9c
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
>
> Can somebody said me what for I have this fault?
> I have used for TLS the certs made with the CA.all script in the 
> freeradius scripts directory.
> I have used also certs made with other scripts find in internet.
> But the error is the same.
>
I am continuing to make various tests but I do not resolve the problem… 
nobody has ideas/help?

More information about the Freeradius-Devel mailing list