EAP/TLS PEAP on Suse 9.3 Ldap backend eDirectory
Daniel Hesse
dhesse at mmrcsl.org
Wed Sep 21 20:44:30 CEST 2005
I am succesfully doing this but with one glitch. It only works with
WinXP as the supplicant.
The problem I can tell is with Certs, but I cannot figure out how to fix
it.
So far the chipsets on the adapters is Atheros 5211 and Ralink rt2500.
The ralinks authenticate fine using WinXP as supplicant, but fail using
the ralink client software in Win2k and WinXP. The GN-WPEAG chipsets
also fail using the supplied clients.
Is there something special to know or do to get certs.sh to work
properly in Suse 9.3, so far I have only been able to get it to work by
installing OpenSSL in USR/Local even though Suse 93 says it is already
installed.
I am including two log peices, the 1st with WinXP as Authenticating and
2nd is Ralink utility on same machine failing to authenticate.
WINXP
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module eap returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 180 to 10.10.4.20:2500
EAP-Message =
0x0104003119001403010001011603010020fb444951ea0360a043b79a34ac4ca533ae9744e6dc6fd7cda10c7b0470fbc55b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd86ec63a7680f4308aeb922aa999e201
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.10.4.20:2501, id=181,
length=136
NAS-IP-Address = 10.10.4.20
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
User-Name = dhesse
Calling-Station-Id = 001109229950
Called-Station-Id = 000e6acd7ff5
NAS-Identifier = dhlab_3com
State = 0xd86ec63a7680f4308aeb922aa999e201
EAP-Message = 0x020400061900
Message-Authenticator = 0x76ad5ea260dbcc6ec8c011c9c7faa527
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module preprocess returns ok for request 3
modcall[authorize]: module chap returns noop for request 3
modcall[authorize]: module mschap returns noop for request 3
rlm_realm: No '@' in User-Name = dhesse, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 3
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 3
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dhesse
radius_xlat: '(uid=dhesse)'
radius_xlat: 'o=StormLake'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=StormLake, with filter (uid=dhesse)
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user dhesse authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module eap returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 181 to 10.10.4.20:2501
EAP-Message =
0x0105002019001703010015bc0c8b230b6818687fdf49953a86ea2a7c92d8f0be
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x34fc3101d2597dcae9f02eb68c529953
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.10.4.20:2502, id=182,
length=164
NAS-IP-Address = 10.10.4.20
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
User-Name = dhesse
Calling-Station-Id = 001109229950
Called-Station-Id = 000e6acd7ff5
NAS-Identifier = dhlab_3com
State = 0x34fc3101d2597dcae9f02eb68c529953
EAP-Message =
0x02050022190017030100171d156bb7f6783f7d189e1907099a9fa7309a04e469c5b1
Message-Authenticator = 0xe538669776929af733db5ebd93558b24
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module preprocess returns ok for request 4
modcall[authorize]: module chap returns noop for request 4
modcall[authorize]: module mschap returns noop for request 4
rlm_realm: No '@' in User-Name = dhesse, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 4
rlm_eap: EAP packet type response id 5 length 34
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 4
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dhesse
radius_xlat: '(uid=dhesse)'
radius_xlat: 'o=StormLake'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=StormLake, with filter (uid=dhesse)
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user dhesse authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - dhesse
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of dhesse
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to dhesse
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module preprocess returns ok for request 4
modcall[authorize]: module chap returns noop for request 4
modcall[authorize]: module mschap returns noop for request 4
rlm_realm: No '@' in User-Name = dhesse, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 4
rlm_eap: EAP packet type response id 5 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 4
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dhesse
radius_xlat: '(uid=dhesse)'
radius_xlat: 'o=StormLake'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=StormLake, with filter (uid=dhesse)
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user dhesse authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module eap returns handled for request 4
modcall: group authenticate returns handled for request 4
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module eap returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 182 to 10.10.4.20:2502
EAP-Message =
0x010600371900170301002c2e60ef6cbaeb243c56acedee7a7f10fd837170ff8a7cf9db7376f6b80f3978e34405f8355b645ec66f716d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5658e0fa40025a64a9c21e91575b399d
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.10.4.20:2503, id=183,
length=218
NAS-IP-Address = 10.10.4.20
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
User-Name = dhesse
Calling-Station-Id = 001109229950
Called-Station-Id = 000e6acd7ff5
NAS-Identifier = dhlab_3com
State = 0x5658e0fa40025a64a9c21e91575b399d
EAP-Message =
0x020600581900170301004dde7841f54a1023bc51de5b1049a3f40bc6a3885985ce3a25d2bb4eccc1b5750fb81735d317f01cdf5be04fa5ffb8d4ba2d8c4797bcc127929b672758a2ffe8fc4618d3ac27af90766780edb361
Message-Authenticator = 0xb1ca667f588b5c0be2ebe759ba2d3d71
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module preprocess returns ok for request 5
modcall[authorize]: module chap returns noop for request 5
modcall[authorize]: module mschap returns noop for request 5
rlm_realm: No '@' in User-Name = dhesse, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 5
rlm_eap: EAP packet type response id 6 length 88
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 5
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dhesse
radius_xlat: '(uid=dhesse)'
radius_xlat: 'o=StormLake'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=StormLake, with filter (uid=dhesse)
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user dhesse authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to dhesse
PEAP: Adding old state with 27 d7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module preprocess returns ok for request 5
modcall[authorize]: module chap returns noop for request 5
modcall[authorize]: module mschap returns noop for request 5
rlm_realm: No '@' in User-Name = dhesse, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 5
rlm_eap: EAP packet type response id 6 length 65
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 5
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dhesse
radius_xlat: '(uid=dhesse)'
radius_xlat: 'o=StormLake'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=StormLake, with filter (uid=dhesse)
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user dhesse authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 5
rlm_mschap: Told to do MS-CHAPv2 for dhesse with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module mschap returns ok for request 5
modcall: group Auth-Type returns ok for request 5
MSCHAP Success
modcall[authenticate]: module eap returns handled for request 5
modcall: group authenticate returns handled for request 5
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module eap returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 183 to 10.10.4.20:2503
EAP-Message =
0x0107004a1900170301003f0226fad9a3d3afef959674ecb3b3414541310676070004398f63d7a5bba3441ee2a3dfcdbbbde73f91f7312051a0f5b579bf9193eb090630c7be88de6d4dee
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c24a22194018da936facb78fe3ceaf8
Finished request 5
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.10.4.20:2504, id=184,
length=159
NAS-IP-Address = 10.10.4.20
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Framed-MTU = 1400
User-Name = dhesse
Calling-Station-Id = 001109229950
Called-Station-Id = 000e6acd7ff5
NAS-Identifier = dhlab_3com
State = 0x0c24a22194018da936facb78fe3ceaf8
EAP-Message =
0x0207001d19001703010012f1bdeccdf36c88896d25284d609126cdf8ac
Message-Authenticator = 0x48bcf0174488515db7aab6c2b9615e3d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module preprocess returns ok for request 6
modcall[authorize]: module chap returns noop for request 6
modcall[authorize]: module mschap returns noop for request 6
rlm_realm: No '@' in User-Name = dhesse, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 6
rlm_eap: EAP packet type response id 7 length 29
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 6
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dhesse
radius_xlat: '(uid=dhesse)'
radius_xlat: 'o=StormLake'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=StormLake, with filter (uid=dhesse)
rlm_ldap: Added the eDirectory password in check items
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050921/d0f7c263/attachment.html>
More information about the Freeradius-Users
mailing list