EAP/TLS Configuration
Madhuraka Godahewa
maduraka at electroteks.com
Fri Dec 2 23:50:22 CET 2005
Hi All,
I installed freeRADIUS 1.0.5 recently, and configured the server as described
in the documentation files. I configured it (freeRADIUS) to accept incoming
authentication requests from a WLAN AP (10.128.253.122). (Thanks for everyone
who helped me throughout.)
Then, using the OpenSSL, I created Server and Client Certificates to work with
EAP/TLS. I also configured user (Windows XP) to connect to the network through
the AP.
When I am trying to connect to the network, the AP sends the access-request to
the freeRADIUS server and the output of the 'radiusd -X' is as follows.
<
rad_recv: Access-Request packet from host 10.128.253.122:2049, id=0, length=145
User-Name = "rajith-office"
NAS-IP-Address = 10.128.253.122
Called-Station-Id = "001310e7f2a3"
Calling-Station-Id = "00121764a573"
NAS-Identifier = "001310e7f2a3"
NAS-Port = 50
Framed-MTU = 1400
State = 0x814918fda1642f41b8a502c6a199d9dc
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060d00
Message-Authenticator = 0x6f24ef63df0ac05fc0eea5bae2c6db30
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 23
modcall[authorize]: module "preprocess" returns ok for request 23
modcall[authorize]: module "chap" returns noop for request 23
modcall[authorize]: module "mschap" returns noop for request 23
rlm_realm: No '@' in User-Name = "rajith-office", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 23
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 23
users: Matched rajith-office at 156
modcall[authorize]: module "files" returns ok for request 23
modcall: group authorize returns updated for request 23
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 23
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 23
modcall: group authenticate returns ok for request 23
Sending Access-Accept of id 0 to 10.128.253.122:2049
MS-MPPE-Recv-Key =
0x2360910dc1d2c0525aabfbe09a803b23d3b36957a3d2751fea8e6cadd83a2001
MS-MPPE-Send-Key =
0x634f3a8d4247469db34585005a67c4d46689d6047fbd70296dd9a2ea35d8e35e
EAP-Message = 0x03020004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "rajith-office"
Finished request 23
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 23 ID 0 with timestamp 438ffb3c
Nothing to do. Sleeping until we see a request.
>
As it says, it sends the access-accept message to the AP. When observed the
output of the tcpdump, I get the following.
<
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:06:25.021464 IP (tos 0x0, ttl 64, id 1077, offset 0, flags [DF], length:
167) 10.128.253.122.nfs > rajith-office.radius: RADIUS, length: 139
Access Request (1), id: 0x00, Authenticator:
a1e2e07e2e18f7e9342ef7ebd2b20529
Username Attribute (1), length: 15, Value: rajith-office
0x0000: 7261 6a69 7468 2d6f 6666 6963 65
NAS IP Address Attribute (4), length: 6, Value: 10.128.253.122
0x0000: 0a80 fd7a [|radius]
14:06:25.023671 IP (tos 0x0, ttl 64, id 24, offset 0, flags [DF], length: 92)
rajith-office.radius > 10.128.253.122.nfs: RADIUS, length: 64
Access Challenge (11), id: 0x00, Authenticator:
e7e0b48c8f87df181cca4aed4bb2f4ab
EAP Message Attribute (79), length: 8, Value: ..
0x0000: 0101 0006 0d20
Message Authentication Attribute (80), length: 18,
Value: . ..q*....X.....
0x0000: 8820 1ebc 712a 1b84 c4b2 58bf 96bd f3ef [|radius]
14:06:25.247782 IP (tos 0x0, ttl 64, id 1078, offset 0, flags [DF], length:
247) 10.128.253.122.nfs > rajith-office.radius: RADIUS, length: 219
Access Request (1), id: 0x00, Authenticator:
f6feb52cb3ffb9e92651be66e9ab549e
Username Attribute (1), length: 15, Value: rajith-office
0x0000: 7261 6a69 7468 2d6f 6666 6963 65
NAS IP Address Attribute (4), length: 6, Value: 10.128.253.122
0x0000: 0a80 fd7a [|radius]
14:06:25.250218 IP (tos 0x0, ttl 64, id 25, offset 0, flags [DF], length: 919)
rajith-office.radius > 10.128.253.122.nfs: RADIUS, length: 891
Access Challenge (11), id: 0x00, Authenticator:
218ca3fafe6f1c3b007d5ae8b7cdd40a [|radius]
14:06:25.274389 IP (tos 0x0, ttl 64, id 1079, offset 0, flags [DF], length:
173) 10.128.253.122.nfs > rajith-office.radius: RADIUS, length: 145
Access Request (1), id: 0x00, Authenticator:
e26c1b74318e971004e1fac2c3b5b1ea
Username Attribute (1), length: 15, Value: rajith-office
0x0000: 7261 6a69 7468 2d6f 6666 6963 65
NAS IP Address Attribute (4), length: 6, Value: 10.128.253.122
0x0000: 0a80 fd7a [|radius]
14:06:25.275289 IP (tos 0x0, ttl 64, id 26, offset 0, flags [DF], length: 203)
rajith-office.radius > 10.128.253.122.nfs: RADIUS, length: 175
Access Accept (2), id: 0x00, Authenticator:
4af05501f464f4080afcce604e2c5f24 [|radius]
>
But, the problem is, the user machine (one that is running Windows XP) does not
connect to the network. It again asks for the 'User Credentials'.
Does anyone know where the problem lies?
Thanking You.
--------------------------------------------------------------------------------
Madhuraka Godahewa
Telecommunications Engineer
Research and Development Unit
Electroteks Global Networks (Pvt.) Ltd.
Mobile: + 94-777-647055
More information about the Freeradius-Users
mailing list