Any Trusted CA problem

Torkel Mathisen torkel.mathisen at bbs.no
Tue Feb 21 14:28:21 CET 2006


As a followup to my previous msg. I guess I should have added the debug log already there. 

Anyway, here is the debug log and as you can see I get an unknown CA error. However I got all certs in the correct location on the freeradius server.

Anyone know how to fix this?  

Running freeradius 1.0.5 with PEAP/MS-CHAPv2


rad_recv: Access-Request packet from host 192.168.2.4:21665, id=181,
length=138
        User-Name = "anonymous"
        Framed-MTU = 1400
        Called-Station-Id = "000e.8401.cd50"
        Calling-Station-Id = "0004.2357.ab9d"
        Message-Authenticator = 0xa284452031cc71ac7722c75272190189
        EAP-Message = 0x0201000e01616e6f6e796d6f7573
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 497
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.2.4
        NAS-Identifier = "AP1100-D2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 1 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 165
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 181 to 192.168.2.4:21665
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x45fc39656c1e7d8704c7761797a46146
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=182,
length=248
        User-Name = "anonymous"
        Framed-MTU = 1400
        Called-Station-Id = "000e.8401.cd50"
        Calling-Station-Id = "0004.2357.ab9d"
        Message-Authenticator = 0x1b57e23083b00190c6267515556bb225
        EAP-Message =
0x0202006a198000000060160301005b01000057030143fb10d40a705517a5520974d156590946932ddea339e2527d91f3e0bf30400200003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 497
        State = 0x45fc39656c1e7d8704c7761797a46146
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.2.4
        NAS-Identifier = "AP1100-D2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 106
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 165
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0654], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
    TLS_accept: SSLv3 write key exchange A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 182 to 192.168.2.4:21665
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message =
0x0103040a19c0000007c3160301004a02000046030143fb125a187c9d3e464e794df8ba58186389c1dd88c02f3d863cf77d8cd02d5f203da3113d0277508494cd6bd10c8e20eb05da7032de148ca065b4b3801f168c6c00390016030106540b00065000064d0002b3308202af30820218a003020102020900b646b246bff02a86300d06092a864886f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963
        EAP-Message =
0x617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f7374301e170d3035313032363132333432385a170d3036313032363132333432385a30818b310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a667265657261646975733119301706035504031310526f6f74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100eead5285b5e9f7b939a2dfc1b7fef60a
        EAP-Message =
0xbd055de0ba27b2ef81244e0eabad60241727ff5fc724f36147d08ea5f9e3f0110dfb5a2397c3906a00ab8eb28509e4a672b2c948c0b8007785f550b3908c2f49d7a113d6e7198d9606e567fc38be816fb2acf60f18bfe56d0617ff7e651439ce9c8ed40363b5b1e4d0d96f59a468a6650203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810050aa5f1713a5025d21f128094104579eb85a9ded57072baf72b2c0e3fbea766eb53c62e9bc2a5d1bc22f2615cc1fe88487e2d0b7e5eaa045a8ae1734a85f28e6cd70d3340c2a51bfe7b974c13b9a1a4abebe373312d1d4b987e32368
        EAP-Message =
0x1edad7e4a54456fd7989e901485e9f2fcf7e8ed8e57fae97fb2fdd1fba5a50c683b7da7f00039430820390308202f9a003020102020900b646b246bff02a84300d06092a864886f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f7374301e170d3035313032363132333432335a170d303731303236313233343233
        EAP-Message = 0x5a30818d310b3009060355040613024e4f310d300b06
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x515242558a4574a078cacb1b266de363
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=183,
length=148
        User-Name = "anonymous"
        Framed-MTU = 1400
        Called-Station-Id = "000e.8401.cd50"
        Calling-Station-Id = "0004.2357.ab9d"
        Message-Authenticator = 0x017aef237dc27ad66de21013a4da5bdc
        EAP-Message = 0x020300061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 497
        State = 0x515242558a4574a078cacb1b266de363
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.2.4
        NAS-Identifier = "AP1100-D2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry DEFAULT at line 165
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 183 to 192.168.2.4:21665
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message =
0x010403c919000355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100bb9dc7f9a6b879ddde091ded35f3137693d1a9fa9d2e2f1e20e1e49c9daf077fd1c4066e8e409eda68baac046ff390baedad93e603fdde73046df106c9c3775eb0e024a2682faf6469e778758b9c782a11ad0dcc25edca8f9efdee96ccc1bc
        EAP-Message =
0x84850d853d4435da9ab22ec6c3dc4e6d9137e0ec36d705c923055aa8b900d833350203010001a381f53081f2301d0603551d0e04160414227f0709429785a3169b9817627cd456d617f2283081c20603551d230481ba3081b78014227f0709429785a3169b9817627cd456d617f228a18193a4819030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c
        EAP-Message =
0x6f63616c686f7374820900b646b246bff02a84300c0603551d13040530030101ff300d06092a864886f70d0101040500038181001fb7ec3488fd3b6349d6cc33b5c6451ce1c2e8ef8db6f4818cd017991f9649141c1767553c20303e262fec4bb351cda19b403bab78aa37236ffc78dace1a39089ff037eb911a5133bc6b1f0275cc9e68bc4c8f487a4d2cdc8e706134e512d7e715ca81c5a7bb6cc668ca8181e898befeab40773de8f3eb6629ecd2c79d5f74f1160301010d0c0001090040bd26276ade89a82c9cc4fa1af559608f7824b64ef630bdf0368d885e300720c516da851d828b40f658ffbd6060bb0b6d23e138a280c51e9944d23bc69d73
        EAP-Message =
0xe66f0001050040092d106c2ef3689a643d3fd076a14b3f75be6fbdd0c08e7950f20922dc73fa64fea8a5f44012c4af669f46185e95158f91ad4e170982febc5766ebf47a7a13cc008005fa59ad40eaf289554204e2db05a7e7c535bc610447faaadf40f28ac719adf683be4ef8296ff9cc0ab7f51ce6965d39d278572fb8be1525d6ad57fa5fa44c34451ee24c7922a06fdc1faef6e6a75bd403f4e9944f30095956efc433833743448b80cec60e0d066a9b15f4b1d34c8565f43b8bb68504359ae2c972524473e56216030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9d32410c0e854c04a4f03aacb11e72d7
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=184,
length=159
        User-Name = "anonymous"
        Framed-MTU = 1400
        Called-Station-Id = "000e.8401.cd50"
        Calling-Station-Id = "0004.2357.ab9d"
        Message-Authenticator = 0x0f8b658442d58b4085f9b405518cdf41
        EAP-Message = 0x0204001119800000000715030100020230
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 497
        State = 0x9d32410c0e854c04a4f03aacb11e72d7
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.2.4
        NAS-Identifier = "AP1100-D2"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: EAP packet type response id 4 length 17
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 165
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA
    TLS_accept:failed in SSLv3 read client certificate A 11457:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 11457:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 3
modcall: group authenticate returns reject for request 3
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=184,
length=159
Sending Access-Reject of id 184 to 192.168.2.4:21665
        EAP-Message = 0x04040004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 0 ID 181 with timestamp 43fb125a Cleaning up request 1 ID 182 with timestamp 43fb125a Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 183 with timestamp 43fb125b Cleaning up request 3 ID 184 with timestamp 43fb125b Nothing to do.  Sleeping until we see a request.


Regards,
Torkel




-----Opprinnelig melding-----
Fra: freeradius-users-bounces+torkel.mathisen=bbs.no at lists.freeradius.org [mailto:freeradius-users-bounces+torkel.mathisen=bbs.no at lists.freeradius.org] På vegne av Torkel Mathisen
Sendt: 17. februar 2006 09:59
Til: FreeRadius users mailing list
Emne: Any Trusted CA problem

Hi,

I run freeradius 1.0.5 with PEAP/MS-CHAPv2 authentication through the
users file. 

I got a problem with the "Any Trusted CA" part on some of my clients.

Some of the clients can't uncheck that option in the driver and then
they won't be able to use the WLAN, because it tries to contact a CA.

Is there any way around this problem?


Regards,
Torkel

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list