FreeRadius EAP-TLS issue

Brian A. Seklecki lavalamp at spiritual-machines.org
Wed Nov 16 17:43:21 CET 2005 

   rlm_eap_tls: Received unexpected tunneled data after successful
handshake.

...that's what I get when I try an invalid password in my EAP + Cisco 1200 
+ LDAP + PEAP/MS-CHAPv2 configuration.

Let me ask...how is the client certificate method supposed to work?

Is the username embeded the CN/CommonName attribute of the certificate and 
the user is prompted for a password which you setup in authenticate {} ?

Is that any more secure than using PEAP/MS-CHAPv2 ?

~BAS


On Wed, 16 Nov 2005, Hamid Salim wrote:

> Hi,
> I am just wondering if anyone has encountered the same issue. I have
> set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant.
> For some reason I am getting:
>
> auth: Failed to validate the user.
> Login incorrect: [radiustst/<no User-Password attribute>] (from client
> testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
>
> complete listing is attached. I am using certificates and SSL session
> is created successfully, then why FreeRadius is expecting a
> userid/password?
>
> Any help will be appreciated.
>
> Thanks
> Hamid.
>
> ============= Complete Listing =================
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
> length=1247
>        User-Name = "radiustst"
>        NAS-IP-Address = 129.10.56.156
>        Called-Station-Id = "00-20-a6-4a-12-21"
>        Calling-Station-Id = "00-10-c6-38-af-7b"
>        NAS-Identifier = "APtest3"
>        State = 0xb9a67433435733a42f7cbd528aa6ae7a
>        Framed-MTU = 1400
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message =
> 0x020504510d800000044716030104170b000307000304000301308202fd30820266a003
> 020102020102300d06092a864886f70d01010405003054310b3009060355040613025553
> 310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e
> 20556e6976657273697479311630140603550403130d4543454175746853657276657230
> 1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30
> 09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f
> 7274686561737465726e20556e6976657273697479311230100603550403130972616469
> 7573
>        EAP-Message =
> 0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d
> b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3
> 9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76
> 9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0
> 47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304
> 023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
> 64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
> 2f5e
>        EAP-Message =
> 0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743
> 0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d
> 413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931
> 1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d
> 06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d
> 8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00
> d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0
> c423
>        EAP-Message =
> 0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465
> 1000008200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0
> 70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74
> 830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f
> 30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f0000820080131f2e69
> 99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3
> 25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd
> 8f7c
>        EAP-Message =
> 0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80
> af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886
> 11a6916269516c4e5b6bf006d943609a71740a4d3a60
>        Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 8
>  modcall[authorize]: module "preprocess" returns ok for request 8
> radius_xlat:
> '/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
> rlm_detail:
> /opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
> m%d expands to
> /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
>  modcall[authorize]: module "auth_log" returns ok for request 8
>    rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 8
>  rlm_eap: EAP packet type response id 5 length 253
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 8
>    users: Matched entry radiustst at line 54
>  modcall[authorize]: module "files" returns ok for request 8
> modcall: group authorize returns updated for request 8
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 8
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/tls
>  rlm_eap: processing type tls
>  rlm_eap_tls: Authenticate
>  rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>  eaptls_verify returned 11
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 030b], Certificate
> chain-depth=1,
> error=0
> --> User-Name = radiustst
> --> BUF-Name = ECEAuthServer
> --> subject = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
> --> issuer  = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
> --> verify return:1
> chain-depth=0,
> error=0
> --> User-Name = radiustst
> --> BUF-Name = radiustst
> --> subject = /C=US/ST=MA/O=Northeastern University/CN=radiustst
> --> issuer  = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
> --> verify return:1
>    TLS_accept: SSLv3 read client certificate A
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
>    TLS_accept: SSLv3 read client key exchange A
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
>    TLS_accept: SSLv3 read certificate verify A
>  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
>    TLS_accept: SSLv3 read finished A
>  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
>    TLS_accept: SSLv3 write change cipher spec A
>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
>    TLS_accept: SSLv3 write finished A
>    TLS_accept: SSLv3 flush data
>    (other): SSL negotiation finished successfully
> SSL Connection Established
>  eaptls_process returned 13
>  modcall[authenticate]: module "eap" returns handled for request 8
> modcall: group authenticate returns handled for request 8
> Sending Access-Challenge of id 71 to 129.10.56.156:6001
>        EAP-Message =
> 0x010600350d800000002b1403010001011603010020c76c26e20a3f56cdad1183c5e9c2
> 4322bdbd6ca0af149ba46d197f153a7f4f32
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x70ed13d02f1854999ba5b4513143d53d
> Finished request 8
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72,
> length=167
>        User-Name = "radiustst"
>        NAS-IP-Address = 129.10.56.156
>        Called-Station-Id = "00-20-a6-4a-12-21"
>        Calling-Station-Id = "00-10-c6-38-af-7b"
>        NAS-Identifier = "APtest3"
>        State = 0x70ed13d02f1854999ba5b4513143d53d
>        Framed-MTU = 1400
>        NAS-Port-Type = Wireless-802.11
>        EAP-Message =
> 0x020600210d8000000017150301001267dd17534e604a647897732130f58409b115
>        Message-Authenticator = 0xce216e15de7058166ce90f8cde7d5094
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 9
>  modcall[authorize]: module "preprocess" returns ok for request 9
> radius_xlat:
> '/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
> rlm_detail:
> /opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
> m%d expands to
> /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
>  modcall[authorize]: module "auth_log" returns ok for request 9
>    rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 9
>  rlm_eap: EAP packet type response id 6 length 33
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 9
>    users: Matched entry radiustst at line 54
>  modcall[authorize]: module "files" returns ok for request 9
> modcall: group authorize returns updated for request 9
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 9
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/tls
>  rlm_eap: processing type tls
>  rlm_eap_tls: Authenticate
>  rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>  eaptls_verify returned 11
>  eaptls_process returned 7
>  rlm_eap_tls: Received unexpected tunneled data after successful
> handshake.
> rlm_eap: Handler failed in EAP/tls
>  rlm_eap: Failed in EAP select
>  modcall[authenticate]: module "eap" returns invalid for request 9
> modcall: group authenticate returns invalid for request 9
> auth: Failed to validate the user.
> Login incorrect: [radiustst/<no User-Password attribute>] (from client
> testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
> Delaying request 9 for 1 seconds
> Finished request 9
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72,
> length=167
> Sending Access-Reject of id 72 to 129.10.56.156:6001
>        EAP-Message = 0x04060004
>        Message-Authenticator = 0x00000000000000000000000000000000
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 5 ID 68 with timestamp 437a661d
> Cleaning up request 6 ID 69 with timestamp 437a661d
> Cleaning up request 7 ID 70 with timestamp 437a661d
> Cleaning up request 8 ID 71 with timestamp 437a661d
> Cleaning up request 9 ID 72 with timestamp 437a661d
> Nothing to do.  Sleeping until we see a request.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

l8*
 	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

More information about the Freeradius-Users mailing list