FreeRadius +TLS (base on openssl)

Adam Rogalski arogal at wp.pl
Sat Dec 31 17:11:46 CET 2005


Hi

thanks for replay, I use only one static IP adress on my server, were I have 
radius. And I made client and server certificate with xpextenisions  file so 
I think it's not that.

Regards
Adam


----- Original Message ----- 
From: "Frank Buttner" <frank-buettner at gmx.net>
To: "'FreeRadius users mailing list'" 
<freeradius-users at lists.freeradius.org>
Sent: Saturday, December 31, 2005 10:18 AM
Subject: RE: FreeRadius +TLS (base on openssl)


> Have your radius server multiple IP addresses? In my case that was one of 
> my
> problems. And the second was that the client and server certificate has 
> not
> extensions part.
>
> -----Original Message-----
> From: freeradius-users-bounces+frank-buettner=gmx.net at lists.freeradius.org
> [mailto:freeradius-users-bounces+frank-buettner=gmx.net at lists.freeradius.org
> ] On Behalf Of Adam Rogalski
> Sent: Friday, December 30, 2005 12:10 PM
> To: FreeRadius users mailing list
> Subject: FreeRadius +TLS (base on openssl)
>
> Hi
>
> I figth with my Radius for one week and I don't have more ideas. I would
> like to make my home network with WPA enterprise (WPA with TKIP + 802.1x). 
> I
> made my own CA and generate certificates for server and client. Everything
> like I red in howto from freeradius.org. My server is on fedora core 4 but 
> I
> try on slackware too.
> When I use on my AP (linksys wrt54g) WPA enterprise command radiusd -X 
> stops
> after:
>
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
>
>
>
> when I change for only RADIUS and WEP I get after radiusd -X message:
>
> root at serwerek sbin]# ./radiusd -X
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /etc/raddb/proxy.conf
> Config:   including file: /etc/raddb/clients.conf
> Config:   including file: /etc/raddb/snmp.conf
> Config:   including file: /etc/raddb/eap.conf
> Config:   including file: /etc/raddb/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/radius"
> main: libdir = "/usr/lib"
> main: radacctdir = "/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "nobody"
> main: group = "nobody"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> Using deprecated naslist file.  Support for this will go away soon.
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "/etc/shadow"
> unix: group = "(null)"
> unix: radwtmp = "/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "tls"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/etc/raddb/certs/server_keycert.pem"
> tls: certificate_file = "/etc/raddb/certs/server_keycert.pem"
> tls: CA_file = "/etc/raddb/certs/cacert.pem"
> tls: private_key_password = "adam01"
> tls: dh_file = "/etc/raddb/certs/dh"
> tls: random_file = "/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/etc/raddb/huntgroups"
> preprocess: hints = "/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/etc/raddb/users"
> files: acctusersfile = "/etc/raddb/acct_users"
> files: preproxy_usersfile = "/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Addre ss, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%
> d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
>
> [root at serwerek sbin]# ./radiusd -X
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /etc/raddb/proxy.conf
> Config:   including file: /etc/raddb/clients.conf
> Config:   including file: /etc/raddb/snmp.conf
> Config:   including file: /etc/raddb/eap.conf
> Config:   including file: /etc/raddb/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/radius"
> main: libdir = "/usr/lib"
> main: radacctdir = "/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "nobody"
> main: group = "nobody"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> Using deprecated naslist file.  Support for this will go away soon.
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "/etc/shadow"
> unix: group = "(null)"
> unix: radwtmp = "/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "tls"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/etc/raddb/certs/server_keycert.pem"
> tls: certificate_file = "/etc/raddb/certs/server_keycert.pem"
> tls: CA_file = "/etc/raddb/certs/cacert.pem"
> tls: private_key_password = "adam01"
> tls: dh_file = "/etc/raddb/certs/dh"
> tls: random_file = "/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/etc/raddb/huntgroups"
> preprocess: hints = "/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/etc/raddb/users"
> files: acctusersfile = "/etc/raddb/acct_users"
> files: preproxy_usersfile = "/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Addre ss, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%
> d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0, 
> length=121
>        User-Name = "Adam"
>        NAS-IP-Address = 192.168.1.1
>        Called-Station-Id = "0014bf2f16c2"
>        Calling-Station-Id = "000e3573296d"
>        NAS-Identifier = "0014bf2f16c2"
>        NAS-Port = 55
>        Framed-MTU = 1400
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x02000009014164616d
>        Message-Authenticator = 0x88f32269e104d036be28f8411cd133b6
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>    rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: EAP packet type response id 0 length 9
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 0
>    users: Matched entry DEFAULT at line 152
>  modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns updated for request 0
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
>  rlm_eap: EAP Identity
>  rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
>  rlm_eap_tls: Initiate
>  rlm_eap_tls: Start returned 1
>  modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0 Sending
> Access-Challenge of id 0 to 192.168.1.1:2054
>        EAP-Message = 0x010100060d20
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x44e256d6f94136dbb146b56055f69cf3
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0, 
> length=236
>        User-Name = "Adam"
>        NAS-IP-Address = 192.168.1.1
>        Called-Station-Id = "0014bf2f16c2"
>        Calling-Station-Id = "000e3573296d"
>        NAS-Identifier = "0014bf2f16c2"
>        NAS-Port = 55
>        Framed-MTU = 1400
>        State = 0x44e256d6f94136dbb146b56055f69cf3
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message =
> 0x0201006a0d8000000060160301005b01000057030143b50d1a0e6730
> f71ec0114327ca53bc3eade6ecabd6c027a46f2642fb6e39d000003000390038003500160013
> 000a
> 00330032002f0066000500040065006400630062006000150012000900140011000800030100
>        Message-Authenticator = 0xe801c7aec46700968dfa44913e23d516
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>  modcall[authorize]: module "preprocess" returns ok for request 1
>  modcall[authorize]: module "chap" returns noop for request 1
>  modcall[authorize]: module "mschap" returns noop for request 1
>    rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 1
>  rlm_eap: EAP packet type response id 1 length 106
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 1
>    users: Matched entry DEFAULT at line 152
>  modcall[authorize]: module "files" returns ok for request 1
> modcall: group authorize returns updated for request 1
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/tls
>  rlm_eap: processing type tls
>  rlm_eap_tls: Authenticate
>  rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>  eaptls_verify returned 11
>    (other): before/accept initialization
>    TLS_accept: before/accept initialization
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
>    TLS_accept: SSLv3 read client hello A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
>    TLS_accept: SSLv3 write server hello A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 02a7], Certificate
>    TLS_accept: SSLv3 write certificate A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
>    TLS_accept: SSLv3 write key exchange A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest
>    TLS_accept: SSLv3 write certificate request A
>    TLS_accept: SSLv3 flush data
>    TLS_accept:error in SSLv3 read client certificate A In SSL Handshake
> Phase In SSL Accept mode
>  eaptls_process returned 13
>  modcall[authenticate]: module "eap" returns handled for request 1
> modcall: group authenticate returns handled for request 1 Sending
> Access-Challenge of id 0 to 192.168.1.1:2054
>        EAP-Message =
> 0x0102040a0dc0000004ab160301004a02000046030143b50c5e53e9e8
> a74a80938207f2b0b3bb015986bef383fbada6998b571453ee2050a14d2d1936b94767dc8e38
> 5486
> 0e4a418ee7d1541dc3c54807f12c5996889200390016030102a70b0002a30002a000029d3082
> 0299
> 30820202a003020102020101300d06092a864886f70d0101040500308185310b300906035504
> 0613
> 02504c311330110603550408130a446f6c6e79536c61736b3110300e0603550407130757726f
> 636c
> 6177310e300c060355040a1305446f6d656b3122302006035504031319736572776572656b2e
> 6164
> 616d656b2e686f70746f2e6f7267311b301906092a864886f7
>        EAP-Message =
> 0x0d010901160c61726f67616c4077702e706c301e170d303531323330
> 3038333635345a170d3036313233303038333635345a308185310b300906035504061302504c
> 3113
> 30110603550408130a446f6c6e79536c61736b3110300e0603550407130757726f636c617731
> 0e30
> 0c060355040a1305446f6d656b3122302006035504031319736572776572656b2e6164616d65
> 6b2e
> 686f70746f2e6f7267311b301906092a864886f70d010901160c61726f67616c4077702e706c
> 3081
> 9f300d06092a864886f70d010101050003818d0030818902818100e446b6595abca00c76e48b
> 21d6
> 95f43d9a2770dd067bfcaef859ec5bcedb74a14600a9dd179e
>        EAP-Message =
> 0x23d8f7809495f018a50d359f78915fb18b41a74e7441f6716823e415
> 0febd758698291dd48150bc697d56be21a536b089b17f9e3fa049db4e52402fac8f72e493cbf
> cbda
> 0e217cdd2a93598632c1c64cc7d70840ec0fbce918e30203010001a317301530130603551d25
> 040c
> 300a06082b06010505070301300d06092a864886f70d0101040500038181000662e9a572dec1
> 51d2
> 6adb88c7cee3cc7bf0f7f41e8c03d8b85b2b7db7ab2b35fb21ecabb9f15f395e6482b762c04a
> ec81
> 0c4a9883986037d5c17eaf0539e64aae928e7da2394d5b5b3c7d61791d3ae373cf15a1592502
> 1f00
> 51f518de9c12f6e04fe46f39a2b53f6b2345b0b94fc9da2499
>        EAP-Message =
> 0x110108df4251a2d2f21ca4ebaf2c160301010d0c0001090040ca7f38
> db174492ff0737acbd4117d15bb7b41b837016a8422f3a34f9af06244de89a01df120f154711
> 7480
> 2929bc655907ca6ff7b441f03ea72c1ad2c3caae8b00010500407f8f356cf73802cb22f17e4d
> 3a2c
> ea90839f15a1b1c4d7d15014724bd5ef9aba1e17dd262df70a5c8784c64dbd5dcb6a0ae0bdfa
> 390b
> 337d50ed9e97d97324b60080c10536878e2d1ec56f2ad550b03e61c35ae1920f1d5ab39c5ed5
> bfe2
> f8cd2b804799634038088cd836ab6229e86a39589c5a3f9cf93c700c2dfd6bf684ea2e5efc90
> 12db
> f4a6704e75cdd233d632c43e0f0a762ad8df90da110e39dd2f
>        EAP-Message = 0x0aab1b9e0bc4fe20ea2b877b8ccb0c2e7b89e1e6952f
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x767b202144333f7b0182c93a33070eb4
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0, 
> length=136
>        User-Name = "Adam"
>        NAS-IP-Address = 192.168.1.1
>        Called-Station-Id = "0014bf2f16c2"
>        Calling-Station-Id = "000e3573296d"
>        NAS-Identifier = "0014bf2f16c2"
>        NAS-Port = 55
>        Framed-MTU = 1400
>        State = 0x767b202144333f7b0182c93a33070eb4
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x020200060d00
>        Message-Authenticator = 0x2e5131827a4a1a6955a9eada5a37ad5d
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
>  modcall[authorize]: module "preprocess" returns ok for request 2
>  modcall[authorize]: module "chap" returns noop for request 2
>  modcall[authorize]: module "mschap" returns noop for request 2
>    rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 2
>  rlm_eap: EAP packet type response id 2 length 6
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 2
>    users: Matched entry DEFAULT at line 152
>  modcall[authorize]: module "files" returns ok for request 2
> modcall: group authorize returns updated for request 2
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/tls
>  rlm_eap: processing type tls
>  rlm_eap_tls: Authenticate
>  rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
>  rlm_eap_tls: ack handshake fragment handler
>  eaptls_verify returned 1
>  eaptls_process returned 13
>  modcall[authenticate]: module "eap" returns handled for request 2
> modcall: group authenticate returns handled for request 2 Sending
> Access-Challenge of id 0 to 192.168.1.1:2054
>        EAP-Message =
> 0x010300b50d80000004abea37366e949b739e4e8ce5d1051603010099
> 0d0000910403040102008a0088308185310b300906035504061302504c311330110603550408
> 130a
> 446f6c6e79536c61736b3110300e0603550407130757726f636c6177310e300c060355040a13
> 0544
> 6f6d656b3122302006035504031319736572776572656b2e6164616d656b2e686f70746f2e6f
> 7267
> 311b301906092a864886f70d010901160c61726f67616c4077702e706c0e000000
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0xe15d58f49422b6ce53338dbcb286d67d
> Finished request 2
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0, 
> length=147
>        User-Name = "Adam"
>        NAS-IP-Address = 192.168.1.1
>        Called-Station-Id = "0014bf2f16c2"
>        Calling-Station-Id = "000e3573296d"
>        NAS-Identifier = "0014bf2f16c2"
>        NAS-Port = 55
>        Framed-MTU = 1400
>        State = 0xe15d58f49422b6ce53338dbcb286d67d
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message = 0x020300110d800000000715030100020230
>        Message-Authenticator = 0x9ccbb7428e7fb4c0adce582d01b259c6
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
>  modcall[authorize]: module "preprocess" returns ok for request 3
>  modcall[authorize]: module "chap" returns noop for request 3
>  modcall[authorize]: module "mschap" returns noop for request 3
>    rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 3
>  rlm_eap: EAP packet type response id 3 length 17
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 3
>    users: Matched entry DEFAULT at line 152
>  modcall[authorize]: module "files" returns ok for request 3
> modcall: group authorize returns updated for request 3
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/tls
>  rlm_eap: processing type tls
>  rlm_eap_tls: Authenticate
>  rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>  eaptls_verify returned 11
>  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert
> read:fatal:unknown CA
>    TLS_accept:failed in SSLv3 read client certificate A
> 2426:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca:s3_pkt.c :1052:SSL alert number 48
> 2426:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
> failure:s3_pkt.c:                       837:
> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
> In SSL Handshake Phase
> In SSL Accept mode
> rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
>  eaptls_process returned 13
>  rlm_eap: Freeing handler
>  modcall[authenticate]: module "eap" returns reject for request 3
> modcall: group authenticate returns reject for request 3
> auth: Failed to validate the user.
> Delaying request 3 for 1 seconds
> Finished request 3
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 0 to 192.168.1.1:2054
>        EAP-Message = 0x04030004
>        Message-Authenticator = 0x00000000000000000000000000000000
> Cleaning up request 3 ID 0 with timestamp 43b50c5e Nothing to do. 
> Sleeping
> until we see a request.
>
>
> As a client I use my buildin centrino card intel2200 and windows xp with 
> sp2
>
>
> So if enybody can help I will be very gratefull
>
> Best regards
>
> Adam
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list