FreeRadius +TLS (base on openssl)

Adam Rogalski arogal at wp.pl
Sat Dec 31 18:19:40 CET 2005


I have windows XP sp2 with all updates, I use driver 9.0.2.31 from 
19-07-2005, so I think that they should be OK. I've another card Linksys but 
yesturday my Router/AP broke down and I can't test it. I will get on Monday 
new from work (Cisco 1100) and I will try it, i hope.

Regards
Adam

----- Original Message ----- 
From: "Frank Buttner" <frank-buettner at gmx.net>
To: "'FreeRadius users mailing list'" 
<freeradius-users at lists.freeradius.org>
Sent: Saturday, December 31, 2005 5:30 PM
Subject: RE: FreeRadius +TLS (base on openssl)


> Have you use the last Intel driver, Firmware and the XP update for WPA??
>
> -----Original Message-----
> From: freeradius-users-bounces+frank-buettner=gmx.net at lists.freeradius.org
> [mailto:freeradius-users-bounces+frank-buettner=gmx.net at lists.freeradius.org
> ] On Behalf Of Adam Rogalski
> Sent: Saturday, December 31, 2005 5:12 PM
> To: FreeRadius users mailing list
> Subject: Re: FreeRadius +TLS (base on openssl)
>
> Hi
>
> thanks for replay, I use only one static IP adress on my server, were I 
> have
> radius. And I made client and server certificate with xpextenisions  file 
> so
> I think it's not that.
>
> Regards
> Adam
>
>
> ----- Original Message -----
> From: "Frank Buttner" <frank-buettner at gmx.net>
> To: "'FreeRadius users mailing list'"
> <freeradius-users at lists.freeradius.org>
> Sent: Saturday, December 31, 2005 10:18 AM
> Subject: RE: FreeRadius +TLS (base on openssl)
>
>
>> Have your radius server multiple IP addresses? In my case that was one of
>> my
>> problems. And the second was that the client and server certificate has
>> not
>> extensions part.
>>
>> -----Original Message-----
>> From: 
>> freeradius-users-bounces+frank-buettner=gmx.net at lists.freeradius.org
>>
> [mailto:freeradius-users-bounces+frank-buettner=gmx.net at lists.freeradius.org
>> ] On Behalf Of Adam Rogalski
>> Sent: Friday, December 30, 2005 12:10 PM
>> To: FreeRadius users mailing list
>> Subject: FreeRadius +TLS (base on openssl)
>>
>> Hi
>>
>> I figth with my Radius for one week and I don't have more ideas. I would
>> like to make my home network with WPA enterprise (WPA with TKIP + 
>> 802.1x).
>
>> I
>> made my own CA and generate certificates for server and client. 
>> Everything
>> like I red in howto from freeradius.org. My server is on fedora core 4 
>> but
>
>> I
>> try on slackware too.
>> When I use on my AP (linksys wrt54g) WPA enterprise command radiusd -X
>> stops
>> after:
>>
>> Listening on authentication *:1812
>> Listening on accounting *:1813
>> Listening on proxy *:1814
>> Ready to process requests.
>>
>>
>>
>> when I change for only RADIUS and WEP I get after radiusd -X message:
>>
>> root at serwerek sbin]# ./radiusd -X
>> Starting - reading configuration files ...
>> reread_config:  reading radiusd.conf
>> Config:   including file: /etc/raddb/proxy.conf
>> Config:   including file: /etc/raddb/clients.conf
>> Config:   including file: /etc/raddb/snmp.conf
>> Config:   including file: /etc/raddb/eap.conf
>> Config:   including file: /etc/raddb/sql.conf
>> main: prefix = "/usr"
>> main: localstatedir = "/var"
>> main: logdir = "/var/log/radius"
>> main: libdir = "/usr/lib"
>> main: radacctdir = "/var/log/radius/radacct"
>> main: hostname_lookups = no
>> main: max_request_time = 30
>> main: cleanup_delay = 5
>> main: max_requests = 1024
>> main: delete_blocked_requests = 0
>> main: port = 0
>> main: allow_core_dumps = no
>> main: log_stripped_names = no
>> main: log_file = "/var/log/radius/radius.log"
>> main: log_auth = no
>> main: log_auth_badpass = no
>> main: log_auth_goodpass = no
>> main: pidfile = "/var/run/radiusd/radiusd.pid"
>> main: user = "nobody"
>> main: group = "nobody"
>> main: usercollide = no
>> main: lower_user = "no"
>> main: lower_pass = "no"
>> main: nospace_user = "no"
>> main: nospace_pass = "no"
>> main: checkrad = "/usr/sbin/checkrad"
>> main: proxy_requests = yes
>> proxy: retry_delay = 5
>> proxy: retry_count = 3
>> proxy: synchronous = no
>> proxy: default_fallback = yes
>> proxy: dead_time = 120
>> proxy: post_proxy_authorize = yes
>> proxy: wake_all_if_all_dead = no
>> security: max_attributes = 200
>> security: reject_delay = 1
>> security: status_server = no
>> main: debug_level = 0
>> read_config_files:  reading dictionary
>> read_config_files:  reading naslist
>> Using deprecated naslist file.  Support for this will go away soon.
>> read_config_files:  reading clients
>> read_config_files:  reading realms
>> radiusd:  entering modules setup
>> Module: Library search path is /usr/lib
>> Module: Loaded exec
>> exec: wait = yes
>> exec: program = "(null)"
>> exec: input_pairs = "request"
>> exec: output_pairs = "(null)"
>> exec: packet_type = "(null)"
>> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
>> Module: Instantiated exec (exec)
>> Module: Loaded expr
>> Module: Instantiated expr (expr)
>> Module: Loaded PAP
>> pap: encryption_scheme = "crypt"
>> Module: Instantiated pap (pap)
>> Module: Loaded CHAP
>> Module: Instantiated chap (chap)
>> Module: Loaded MS-CHAP
>> mschap: use_mppe = yes
>> mschap: require_encryption = no
>> mschap: require_strong = no
>> mschap: with_ntdomain_hack = no
>> mschap: passwd = "(null)"
>> mschap: authtype = "MS-CHAP"
>> mschap: ntlm_auth = "(null)"
>> Module: Instantiated mschap (mschap)
>> Module: Loaded System
>> unix: cache = no
>> unix: passwd = "(null)"
>> unix: shadow = "/etc/shadow"
>> unix: group = "(null)"
>> unix: radwtmp = "/var/log/radius/radwtmp"
>> unix: usegroup = no
>> unix: cache_reload = 600
>> Module: Instantiated unix (unix)
>> Module: Loaded eap
>> eap: default_eap_type = "tls"
>> eap: timer_expire = 60
>> eap: ignore_unknown_eap_types = no
>> eap: cisco_accounting_username_bug = no
>> rlm_eap: Loaded and initialized type md5
>> rlm_eap: Loaded and initialized type leap
>> gtc: challenge = "Password: "
>> gtc: auth_type = "PAP"
>> rlm_eap: Loaded and initialized type gtc
>> tls: rsa_key_exchange = no
>> tls: dh_key_exchange = yes
>> tls: rsa_key_length = 512
>> tls: dh_key_length = 512
>> tls: verify_depth = 0
>> tls: CA_path = "(null)"
>> tls: pem_file_type = yes
>> tls: private_key_file = "/etc/raddb/certs/server_keycert.pem"
>> tls: certificate_file = "/etc/raddb/certs/server_keycert.pem"
>> tls: CA_file = "/etc/raddb/certs/cacert.pem"
>> tls: private_key_password = "adam01"
>> tls: dh_file = "/etc/raddb/certs/dh"
>> tls: random_file = "/etc/raddb/certs/random"
>> tls: fragment_size = 1024
>> tls: include_length = yes
>> tls: check_crl = no
>> tls: check_cert_cn = "(null)"
>> rlm_eap: Loaded and initialized type tls
>> mschapv2: with_ntdomain_hack = no
>> rlm_eap: Loaded and initialized type mschapv2
>> Module: Instantiated eap (eap)
>> Module: Loaded preprocess
>> preprocess: huntgroups = "/etc/raddb/huntgroups"
>> preprocess: hints = "/etc/raddb/hints"
>> preprocess: with_ascend_hack = no
>> preprocess: ascend_channels_per_line = 23
>> preprocess: with_ntdomain_hack = no
>> preprocess: with_specialix_jetstream_hack = no
>> preprocess: with_cisco_vsa_hack = no
>> Module: Instantiated preprocess (preprocess)
>> Module: Loaded realm
>> realm: format = "suffix"
>> realm: delimiter = "@"
>> realm: ignore_default = no
>> realm: ignore_null = no
>> Module: Instantiated realm (suffix)
>> Module: Loaded files
>> files: usersfile = "/etc/raddb/users"
>> files: acctusersfile = "/etc/raddb/acct_users"
>> files: preproxy_usersfile = "/etc/raddb/preproxy_users"
>> files: compat = "no"
>> Module: Instantiated files (files)
>> Module: Loaded Acct-Unique-Session-Id
>> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>> Client-IP-Addre ss, NAS-Port"
>> Module: Instantiated acct_unique (acct_unique)
>> Module: Loaded detail
>> detail: detailfile =
>> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%
>> d"
>> detail: detailperm = 384
>> detail: dirperm = 493
>> detail: locking = no
>> Module: Instantiated detail (detail)
>> Module: Loaded radutmp
>> radutmp: filename = "/var/log/radius/radutmp"
>> radutmp: username = "%{User-Name}"
>> radutmp: case_sensitive = yes
>> radutmp: check_with_nas = yes
>> radutmp: perm = 384
>> radutmp: callerid = yes
>> Module: Instantiated radutmp (radutmp)
>> Listening on authentication *:1812
>> Listening on accounting *:1813
>> Listening on proxy *:1814
>> Ready to process requests.
>>
>> [root at serwerek sbin]# ./radiusd -X
>> Starting - reading configuration files ...
>> reread_config:  reading radiusd.conf
>> Config:   including file: /etc/raddb/proxy.conf
>> Config:   including file: /etc/raddb/clients.conf
>> Config:   including file: /etc/raddb/snmp.conf
>> Config:   including file: /etc/raddb/eap.conf
>> Config:   including file: /etc/raddb/sql.conf
>> main: prefix = "/usr"
>> main: localstatedir = "/var"
>> main: logdir = "/var/log/radius"
>> main: libdir = "/usr/lib"
>> main: radacctdir = "/var/log/radius/radacct"
>> main: hostname_lookups = no
>> main: max_request_time = 30
>> main: cleanup_delay = 5
>> main: max_requests = 1024
>> main: delete_blocked_requests = 0
>> main: port = 0
>> main: allow_core_dumps = no
>> main: log_stripped_names = no
>> main: log_file = "/var/log/radius/radius.log"
>> main: log_auth = no
>> main: log_auth_badpass = no
>> main: log_auth_goodpass = no
>> main: pidfile = "/var/run/radiusd/radiusd.pid"
>> main: user = "nobody"
>> main: group = "nobody"
>> main: usercollide = no
>> main: lower_user = "no"
>> main: lower_pass = "no"
>> main: nospace_user = "no"
>> main: nospace_pass = "no"
>> main: checkrad = "/usr/sbin/checkrad"
>> main: proxy_requests = yes
>> proxy: retry_delay = 5
>> proxy: retry_count = 3
>> proxy: synchronous = no
>> proxy: default_fallback = yes
>> proxy: dead_time = 120
>> proxy: post_proxy_authorize = yes
>> proxy: wake_all_if_all_dead = no
>> security: max_attributes = 200
>> security: reject_delay = 1
>> security: status_server = no
>> main: debug_level = 0
>> read_config_files:  reading dictionary
>> read_config_files:  reading naslist
>> Using deprecated naslist file.  Support for this will go away soon.
>> read_config_files:  reading clients
>> read_config_files:  reading realms
>> radiusd:  entering modules setup
>> Module: Library search path is /usr/lib
>> Module: Loaded exec
>> exec: wait = yes
>> exec: program = "(null)"
>> exec: input_pairs = "request"
>> exec: output_pairs = "(null)"
>> exec: packet_type = "(null)"
>> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
>> Module: Instantiated exec (exec)
>> Module: Loaded expr
>> Module: Instantiated expr (expr)
>> Module: Loaded PAP
>> pap: encryption_scheme = "crypt"
>> Module: Instantiated pap (pap)
>> Module: Loaded CHAP
>> Module: Instantiated chap (chap)
>> Module: Loaded MS-CHAP
>> mschap: use_mppe = yes
>> mschap: require_encryption = no
>> mschap: require_strong = no
>> mschap: with_ntdomain_hack = no
>> mschap: passwd = "(null)"
>> mschap: authtype = "MS-CHAP"
>> mschap: ntlm_auth = "(null)"
>> Module: Instantiated mschap (mschap)
>> Module: Loaded System
>> unix: cache = no
>> unix: passwd = "(null)"
>> unix: shadow = "/etc/shadow"
>> unix: group = "(null)"
>> unix: radwtmp = "/var/log/radius/radwtmp"
>> unix: usegroup = no
>> unix: cache_reload = 600
>> Module: Instantiated unix (unix)
>> Module: Loaded eap
>> eap: default_eap_type = "tls"
>> eap: timer_expire = 60
>> eap: ignore_unknown_eap_types = no
>> eap: cisco_accounting_username_bug = no
>> rlm_eap: Loaded and initialized type md5
>> rlm_eap: Loaded and initialized type leap
>> gtc: challenge = "Password: "
>> gtc: auth_type = "PAP"
>> rlm_eap: Loaded and initialized type gtc
>> tls: rsa_key_exchange = no
>> tls: dh_key_exchange = yes
>> tls: rsa_key_length = 512
>> tls: dh_key_length = 512
>> tls: verify_depth = 0
>> tls: CA_path = "(null)"
>> tls: pem_file_type = yes
>> tls: private_key_file = "/etc/raddb/certs/server_keycert.pem"
>> tls: certificate_file = "/etc/raddb/certs/server_keycert.pem"
>> tls: CA_file = "/etc/raddb/certs/cacert.pem"
>> tls: private_key_password = "adam01"
>> tls: dh_file = "/etc/raddb/certs/dh"
>> tls: random_file = "/etc/raddb/certs/random"
>> tls: fragment_size = 1024
>> tls: include_length = yes
>> tls: check_crl = no
>> tls: check_cert_cn = "(null)"
>> rlm_eap: Loaded and initialized type tls
>> mschapv2: with_ntdomain_hack = no
>> rlm_eap: Loaded and initialized type mschapv2
>> Module: Instantiated eap (eap)
>> Module: Loaded preprocess
>> preprocess: huntgroups = "/etc/raddb/huntgroups"
>> preprocess: hints = "/etc/raddb/hints"
>> preprocess: with_ascend_hack = no
>> preprocess: ascend_channels_per_line = 23
>> preprocess: with_ntdomain_hack = no
>> preprocess: with_specialix_jetstream_hack = no
>> preprocess: with_cisco_vsa_hack = no
>> Module: Instantiated preprocess (preprocess)
>> Module: Loaded realm
>> realm: format = "suffix"
>> realm: delimiter = "@"
>> realm: ignore_default = no
>> realm: ignore_null = no
>> Module: Instantiated realm (suffix)
>> Module: Loaded files
>> files: usersfile = "/etc/raddb/users"
>> files: acctusersfile = "/etc/raddb/acct_users"
>> files: preproxy_usersfile = "/etc/raddb/preproxy_users"
>> files: compat = "no"
>> Module: Instantiated files (files)
>> Module: Loaded Acct-Unique-Session-Id
>> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>> Client-IP-Addre ss, NAS-Port"
>> Module: Instantiated acct_unique (acct_unique)
>> Module: Loaded detail
>> detail: detailfile =
>> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%
>> d"
>> detail: detailperm = 384
>> detail: dirperm = 493
>> detail: locking = no
>> Module: Instantiated detail (detail)
>> Module: Loaded radutmp
>> radutmp: filename = "/var/log/radius/radutmp"
>> radutmp: username = "%{User-Name}"
>> radutmp: case_sensitive = yes
>> radutmp: check_with_nas = yes
>> radutmp: perm = 384
>> radutmp: callerid = yes
>> Module: Instantiated radutmp (radutmp)
>> Listening on authentication *:1812
>> Listening on accounting *:1813
>> Listening on proxy *:1814
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0,
>> length=121
>>        User-Name = "Adam"
>>        NAS-IP-Address = 192.168.1.1
>>        Called-Station-Id = "0014bf2f16c2"
>>        Calling-Station-Id = "000e3573296d"
>>        NAS-Identifier = "0014bf2f16c2"
>>        NAS-Port = 55
>>        Framed-MTU = 1400
>>        NAS-Port-Type = Wireless-802.11
>>        EAP-Message = 0x02000009014164616d
>>        Message-Authenticator = 0x88f32269e104d036be28f8411cd133b6
>>  Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 0
>>  modcall[authorize]: module "preprocess" returns ok for request 0
>>  modcall[authorize]: module "chap" returns noop for request 0
>>  modcall[authorize]: module "mschap" returns noop for request 0
>>    rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL
>>    rlm_realm: No such realm "NULL"
>>  modcall[authorize]: module "suffix" returns noop for request 0
>>  rlm_eap: EAP packet type response id 0 length 9
>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>  modcall[authorize]: module "eap" returns updated for request 0
>>    users: Matched entry DEFAULT at line 152
>>  modcall[authorize]: module "files" returns ok for request 0
>> modcall: group authorize returns updated for request 0
>>  rad_check_password:  Found Auth-Type EAP
>> auth: type "EAP"
>>  Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 0
>>  rlm_eap: EAP Identity
>>  rlm_eap: processing type tls
>> rlm_eap_tls: Requiring client certificate
>>  rlm_eap_tls: Initiate
>>  rlm_eap_tls: Start returned 1
>>  modcall[authenticate]: module "eap" returns handled for request 0
>> modcall: group authenticate returns handled for request 0 Sending
>> Access-Challenge of id 0 to 192.168.1.1:2054
>>        EAP-Message = 0x010100060d20
>>        Message-Authenticator = 0x00000000000000000000000000000000
>>        State = 0x44e256d6f94136dbb146b56055f69cf3
>> Finished request 0
>> Going to the next request
>> --- Walking the entire request list ---
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0,
>> length=236
>>        User-Name = "Adam"
>>        NAS-IP-Address = 192.168.1.1
>>        Called-Station-Id = "0014bf2f16c2"
>>        Calling-Station-Id = "000e3573296d"
>>        NAS-Identifier = "0014bf2f16c2"
>>        NAS-Port = 55
>>        Framed-MTU = 1400
>>        State = 0x44e256d6f94136dbb146b56055f69cf3
>>        NAS-Port-Type = Wireless-802.11
>>        EAP-Message =
>> 0x0201006a0d8000000060160301005b01000057030143b50d1a0e6730
>>
> f71ec0114327ca53bc3eade6ecabd6c027a46f2642fb6e39d000003000390038003500160013
>> 000a
>>
> 00330032002f0066000500040065006400630062006000150012000900140011000800030100
>>        Message-Authenticator = 0xe801c7aec46700968dfa44913e23d516
>>  Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 1
>>  modcall[authorize]: module "preprocess" returns ok for request 1
>>  modcall[authorize]: module "chap" returns noop for request 1
>>  modcall[authorize]: module "mschap" returns noop for request 1
>>    rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL
>>    rlm_realm: No such realm "NULL"
>>  modcall[authorize]: module "suffix" returns noop for request 1
>>  rlm_eap: EAP packet type response id 1 length 106
>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>  modcall[authorize]: module "eap" returns updated for request 1
>>    users: Matched entry DEFAULT at line 152
>>  modcall[authorize]: module "files" returns ok for request 1
>> modcall: group authorize returns updated for request 1
>>  rad_check_password:  Found Auth-Type EAP
>> auth: type "EAP"
>>  Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 1
>>  rlm_eap: Request found, released from the list
>>  rlm_eap: EAP/tls
>>  rlm_eap: processing type tls
>>  rlm_eap_tls: Authenticate
>>  rlm_eap_tls: processing TLS
>> rlm_eap_tls:  Length Included
>>  eaptls_verify returned 11
>>    (other): before/accept initialization
>>    TLS_accept: before/accept initialization
>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
>>    TLS_accept: SSLv3 read client hello A
>>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
>>    TLS_accept: SSLv3 write server hello A
>>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 02a7], Certificate
>>    TLS_accept: SSLv3 write certificate A
>>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
>>    TLS_accept: SSLv3 write key exchange A
>>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest
>>    TLS_accept: SSLv3 write certificate request A
>>    TLS_accept: SSLv3 flush data
>>    TLS_accept:error in SSLv3 read client certificate A In SSL Handshake
>> Phase In SSL Accept mode
>>  eaptls_process returned 13
>>  modcall[authenticate]: module "eap" returns handled for request 1
>> modcall: group authenticate returns handled for request 1 Sending
>> Access-Challenge of id 0 to 192.168.1.1:2054
>>        EAP-Message =
>> 0x0102040a0dc0000004ab160301004a02000046030143b50c5e53e9e8
>>
> a74a80938207f2b0b3bb015986bef383fbada6998b571453ee2050a14d2d1936b94767dc8e38
>> 5486
>>
> 0e4a418ee7d1541dc3c54807f12c5996889200390016030102a70b0002a30002a000029d3082
>> 0299
>>
> 30820202a003020102020101300d06092a864886f70d0101040500308185310b300906035504
>> 0613
>>
> 02504c311330110603550408130a446f6c6e79536c61736b3110300e0603550407130757726f
>> 636c
>>
> 6177310e300c060355040a1305446f6d656b3122302006035504031319736572776572656b2e
>> 6164
>> 616d656b2e686f70746f2e6f7267311b301906092a864886f7
>>        EAP-Message =
>> 0x0d010901160c61726f67616c4077702e706c301e170d303531323330
>>
> 3038333635345a170d3036313233303038333635345a308185310b300906035504061302504c
>> 3113
>>
> 30110603550408130a446f6c6e79536c61736b3110300e0603550407130757726f636c617731
>> 0e30
>>
> 0c060355040a1305446f6d656b3122302006035504031319736572776572656b2e6164616d65
>> 6b2e
>>
> 686f70746f2e6f7267311b301906092a864886f70d010901160c61726f67616c4077702e706c
>> 3081
>>
> 9f300d06092a864886f70d010101050003818d0030818902818100e446b6595abca00c76e48b
>> 21d6
>> 95f43d9a2770dd067bfcaef859ec5bcedb74a14600a9dd179e
>>        EAP-Message =
>> 0x23d8f7809495f018a50d359f78915fb18b41a74e7441f6716823e415
>>
> 0febd758698291dd48150bc697d56be21a536b089b17f9e3fa049db4e52402fac8f72e493cbf
>> cbda
>>
> 0e217cdd2a93598632c1c64cc7d70840ec0fbce918e30203010001a317301530130603551d25
>> 040c
>>
> 300a06082b06010505070301300d06092a864886f70d0101040500038181000662e9a572dec1
>> 51d2
>>
> 6adb88c7cee3cc7bf0f7f41e8c03d8b85b2b7db7ab2b35fb21ecabb9f15f395e6482b762c04a
>> ec81
>>
> 0c4a9883986037d5c17eaf0539e64aae928e7da2394d5b5b3c7d61791d3ae373cf15a1592502
>> 1f00
>> 51f518de9c12f6e04fe46f39a2b53f6b2345b0b94fc9da2499
>>        EAP-Message =
>> 0x110108df4251a2d2f21ca4ebaf2c160301010d0c0001090040ca7f38
>>
> db174492ff0737acbd4117d15bb7b41b837016a8422f3a34f9af06244de89a01df120f154711
>> 7480
>>
> 2929bc655907ca6ff7b441f03ea72c1ad2c3caae8b00010500407f8f356cf73802cb22f17e4d
>> 3a2c
>>
> ea90839f15a1b1c4d7d15014724bd5ef9aba1e17dd262df70a5c8784c64dbd5dcb6a0ae0bdfa
>> 390b
>>
> 337d50ed9e97d97324b60080c10536878e2d1ec56f2ad550b03e61c35ae1920f1d5ab39c5ed5
>> bfe2
>>
> f8cd2b804799634038088cd836ab6229e86a39589c5a3f9cf93c700c2dfd6bf684ea2e5efc90
>> 12db
>> f4a6704e75cdd233d632c43e0f0a762ad8df90da110e39dd2f
>>        EAP-Message = 0x0aab1b9e0bc4fe20ea2b877b8ccb0c2e7b89e1e6952f
>>        Message-Authenticator = 0x00000000000000000000000000000000
>>        State = 0x767b202144333f7b0182c93a33070eb4
>> Finished request 1
>> Going to the next request
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0,
>> length=136
>>        User-Name = "Adam"
>>        NAS-IP-Address = 192.168.1.1
>>        Called-Station-Id = "0014bf2f16c2"
>>        Calling-Station-Id = "000e3573296d"
>>        NAS-Identifier = "0014bf2f16c2"
>>        NAS-Port = 55
>>        Framed-MTU = 1400
>>        State = 0x767b202144333f7b0182c93a33070eb4
>>        NAS-Port-Type = Wireless-802.11
>>        EAP-Message = 0x020200060d00
>>        Message-Authenticator = 0x2e5131827a4a1a6955a9eada5a37ad5d
>>  Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 2
>>  modcall[authorize]: module "preprocess" returns ok for request 2
>>  modcall[authorize]: module "chap" returns noop for request 2
>>  modcall[authorize]: module "mschap" returns noop for request 2
>>    rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL
>>    rlm_realm: No such realm "NULL"
>>  modcall[authorize]: module "suffix" returns noop for request 2
>>  rlm_eap: EAP packet type response id 2 length 6
>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>  modcall[authorize]: module "eap" returns updated for request 2
>>    users: Matched entry DEFAULT at line 152
>>  modcall[authorize]: module "files" returns ok for request 2
>> modcall: group authorize returns updated for request 2
>>  rad_check_password:  Found Auth-Type EAP
>> auth: type "EAP"
>>  Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 2
>>  rlm_eap: Request found, released from the list
>>  rlm_eap: EAP/tls
>>  rlm_eap: processing type tls
>>  rlm_eap_tls: Authenticate
>>  rlm_eap_tls: processing TLS
>> rlm_eap_tls: Received EAP-TLS ACK message
>>  rlm_eap_tls: ack handshake fragment handler
>>  eaptls_verify returned 1
>>  eaptls_process returned 13
>>  modcall[authenticate]: module "eap" returns handled for request 2
>> modcall: group authenticate returns handled for request 2 Sending
>> Access-Challenge of id 0 to 192.168.1.1:2054
>>        EAP-Message =
>> 0x010300b50d80000004abea37366e949b739e4e8ce5d1051603010099
>>
> 0d0000910403040102008a0088308185310b300906035504061302504c311330110603550408
>> 130a
>>
> 446f6c6e79536c61736b3110300e0603550407130757726f636c6177310e300c060355040a13
>> 0544
>>
> 6f6d656b3122302006035504031319736572776572656b2e6164616d656b2e686f70746f2e6f
>> 7267
>> 311b301906092a864886f70d010901160c61726f67616c4077702e706c0e000000
>>        Message-Authenticator = 0x00000000000000000000000000000000
>>        State = 0xe15d58f49422b6ce53338dbcb286d67d
>> Finished request 2
>> Going to the next request
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0,
>> length=147
>>        User-Name = "Adam"
>>        NAS-IP-Address = 192.168.1.1
>>        Called-Station-Id = "0014bf2f16c2"
>>        Calling-Station-Id = "000e3573296d"
>>        NAS-Identifier = "0014bf2f16c2"
>>        NAS-Port = 55
>>        Framed-MTU = 1400
>>        State = 0xe15d58f49422b6ce53338dbcb286d67d
>>        NAS-Port-Type = Wireless-802.11
>>        EAP-Message = 0x020300110d800000000715030100020230
>>        Message-Authenticator = 0x9ccbb7428e7fb4c0adce582d01b259c6
>>  Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 3
>>  modcall[authorize]: module "preprocess" returns ok for request 3
>>  modcall[authorize]: module "chap" returns noop for request 3
>>  modcall[authorize]: module "mschap" returns noop for request 3
>>    rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL
>>    rlm_realm: No such realm "NULL"
>>  modcall[authorize]: module "suffix" returns noop for request 3
>>  rlm_eap: EAP packet type response id 3 length 17
>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>  modcall[authorize]: module "eap" returns updated for request 3
>>    users: Matched entry DEFAULT at line 152
>>  modcall[authorize]: module "files" returns ok for request 3
>> modcall: group authorize returns updated for request 3
>>  rad_check_password:  Found Auth-Type EAP
>> auth: type "EAP"
>>  Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 3
>>  rlm_eap: Request found, released from the list
>>  rlm_eap: EAP/tls
>>  rlm_eap: processing type tls
>>  rlm_eap_tls: Authenticate
>>  rlm_eap_tls: processing TLS
>> rlm_eap_tls:  Length Included
>>  eaptls_verify returned 11
>>  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert
>> read:fatal:unknown CA
>>    TLS_accept:failed in SSLv3 read client certificate A
>> 2426:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
>> ca:s3_pkt.c :1052:SSL alert number 48
>> 2426:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
>> failure:s3_pkt.c:                       837:
>> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
>> In SSL Handshake Phase
>> In SSL Accept mode
>> rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
>>  eaptls_process returned 13
>>  rlm_eap: Freeing handler
>>  modcall[authenticate]: module "eap" returns reject for request 3
>> modcall: group authenticate returns reject for request 3
>> auth: Failed to validate the user.
>> Delaying request 3 for 1 seconds
>> Finished request 3
>> Going to the next request
>> Waking up in 6 seconds...
>> --- Walking the entire request list ---
>> Sending Access-Reject of id 0 to 192.168.1.1:2054
>>        EAP-Message = 0x04030004
>>        Message-Authenticator = 0x00000000000000000000000000000000
>> Cleaning up request 3 ID 0 with timestamp 43b50c5e Nothing to do.
>> Sleeping
>> until we see a request.
>>
>>
>> As a client I use my buildin centrino card intel2200 and windows xp with
>> sp2
>>
>>
>> So if enybody can help I will be very gratefull
>>
>> Best regards
>>
>> Adam
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list