Client certs with MSCHAPV2 in PEAP

Dave Huff dbhuff at yahoo.com
Wed Feb 22 21:03:01 CET 2006


 

> -----Original Message-----
> From: aland at nitros9.org [mailto:aland at nitros9.org] On Behalf 
> Of Alan DeKok

> 
> "Dave Huff" <dbhuff at yahoo.com> wrote:
> > I would like to configure this setup using Freeradius.  My WinXP 
> > client (Intel ProSET) supports this, but FR chokes on it 
> when enabled.
> 
>   Would you be willing to run the serve rin debugging mode, 
> as suggested in the FAQ, README, INSTALL, and daily on this list?

Sure, thought my question needed a quick answer, but here I've included the
log AFTER inserting the line in the users file, and turning on the client
cert part of MSCHAPV2 in ProSET:
<snip>
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 71 to 192.168.0.1:1201
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd4448443a5823bb9ceffabd590f27721
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 71 with timestamp 43fcc0a4
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.0.1:1201, id=72, 
length=243
        User-Name = "a at b.com"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00-0f-3d-3f-49-92"
        Calling-Station-Id = "00-0e-35-60-27-1f"
        NAS-Identifier = "HomeAP"
        Framed-MTU = 1380
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x0202006a198000000060160301005b01000057030143fcc0c5eb46025dd5e3662940ba6406
6bed01df2be7d94eb754c77da12672c300003000390038003500160013000a00330032002f00
66000500040065006400630062006000150012000900140011000800030100
        State = 0xd4448443a5823bb9ceffabd590f27721
        Message-Authenticator = 0xdcd7050a2c3750c9314d44818cf15867
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: Looking up realm "b.com" for User-Name = "a at b.com"
    rlm_realm: No such realm "b.com"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 106
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 75
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0780], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0074], CertificateRequest
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 72 to 192.168.0.1:1201
        EAP-Message = 
0x0103040a19c00000084d160301004a02000046030143fcc0c6b503405d5825db4720dc2d66
93c9570afd72cd19086b5e9d890c2f4f2010fa22c781d6954b8b8a8a8d1e7c1f3fc0d5bbf96b
c540e87c90018c4636459f00350016030107800b00077c00077900035d3082035930820241a0
03020102020102300d06092a864886f70d01010405003063310b300906035504061302555331
1530130603550408130c50656e6e73796c76616e69613112301006035504071309576f726365
7374657231153013060355040a130c4944205761746368646f67733112301006035504031309
54726f6f7065724341301e170d3036303231393033313332325a
        EAP-Message = 
0x170d3037303231393033313332325a3064310b300906035504061302555331153013060355
0408130c50656e6e73796c76616e69613112301006035504071309576f726365737465723115
3013060355040a130c4944205761746368646f6773311330110603550403130a54726f6f7065
7252616430820122300d06092a864886f70d01010105000382010f003082010a028201010099
f1fa5cf0c4375eb065831ebe83f37e10534c26f8d1d70c03e65b0f52ae551dfac678b45559fc
2acfc121fb6ffe9c1e6b187057f4f5b425009b2512a496ed90ffd4a96a39f2a5e8be5aa70087
7a205aab04c4c71add5e4d52935ee4970c4468ddd63ff2850398
        EAP-Message = 
0xcb3e82860bc94c036b363f03f55f73d75d214efcfb9e9a38640f540e08c4461e02677a9d5b
44d79cc0ff1ae6b4a593379c63bf74561d827ebd6ce0d137a088718716130e6f96ab296ca601
ee3f57521ea82effaa77d42ce3f29152f6570d5755195a13c0d7f8178b1db3754eb2454fe392
4871d30d663ba1fdd39ae3b7cc4c291695e4eed44210738005fbc6d12f191c64172e6753bef5
06fb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a86
4886f70d01010405000382010100877b9682c26f7b7369e2ab88941e63a84c1bd9a9c641c98b
655d0d6252987ab8767d3948ea77e037f08b45c2125e0d311902
        EAP-Message = 
0x053e65c3a108c0385896bb075f5d7f2f6c6ba40b3f587744ab2f70d902d02eb02c5515a248
c1b981131e07acbe64f6ac36cd5f17e42d264240353b43afa45bc7e1e68087403d400084ebbb
e0cf8313bdd0647e439212b54ed6094724d53279ea11c6f440d69c1a2f42fb0d7b389a133caf
0b071d3839bff17db67ae38afd6bb0353c918baba67abe7f43985de9298a316b4bf96053a515
330099a6721418348aaa31e72ff274a04babc5e3a8a65c54a074ad16e4cfe12b8c5355d80319
f981dcef952b94926a87ecbe840958a23300041630820412308202faa00302010202090082b0
a04de04eb718300d06092a864886f70d01010405003063310b30
        EAP-Message = 0x09060355040613025553311530130603550408130c50
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd214e2024bffde002e515ff0f517fb5e
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.1:1201, id=73, 
length=143
        User-Name = "a at b.com"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00-0f-3d-3f-49-92"
        Calling-Station-Id = "00-0e-35-60-27-1f"
        NAS-Identifier = "HomeAP"
        Framed-MTU = 1380
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020300061900
        State = 0xd214e2024bffde002e515ff0f517fb5e
        Message-Authenticator = 0xb2affa49d6ce01da8572133569df588a
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: Looking up realm "b.com" for User-Name = "a at b.com"
    rlm_realm: No such realm "b.com"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry DEFAULT at line 75
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 73 to 192.168.0.1:1201
        EAP-Message = 
0x010404061940656e6e73796c76616e69613112301006035504071309576f72636573746572
31153013060355040a130c4944205761746368646f6773311230100603550403130954726f6f
7065724341301e170d3036303231393033303233375a170d3131303231383033303233375a30
63310b3009060355040613025553311530130603550408130c50656e6e73796c76616e696131
12301006035504071309576f7263657374657231153013060355040a130c4944205761746368
646f6773311230100603550403130954726f6f706572434130820122300d06092a864886f70d
01010105000382010f003082010a0282010100c5ced89051c06e
        EAP-Message = 
0x5aaafae85f774228ad568a86a34614107bb6a12d77639024e15c7148210ef71c28a2c97fef
4a2349aaa27bc108a5ac6f58533e59c6a8055cc1894c46dc3c43b653395d80b6c359fceac27f
138a99f2815b9bdca5ca10b64d4dcbf60bb7e0f2c4157a6826c3ffdced8895dad9df9e7e5e68
04c8a24e961fbe0d0f7d59d4a36b8ed5d5072469641e660375c8508fd6b9be347b09f16f623f
d145084e357fbe429dd74eab193a9d46186aff47620d7f2f78fc5cfc251694f237689ad1f8e8
087a4f2fb89a0acb842e50cb961ab90ad8d759613677bd594d160fa5b6022d537bf7b8ddaf60
4db82a033a1c6629e35b6619bafe26e6c874b2f432e102030100
        EAP-Message = 
0x01a381c83081c5301d0603551d0e04160414a9bf8a8dc8db8eef9bb1210d6b8fcf4d187aba
023081950603551d2304818d30818a8014a9bf8a8dc8db8eef9bb1210d6b8fcf4d187aba02a1
67a4653063310b3009060355040613025553311530130603550408130c50656e6e73796c7661
6e69613112301006035504071309576f7263657374657231153013060355040a130c49442057
61746368646f6773311230100603550403130954726f6f706572434182090082b0a04de04eb7
18300c0603551d13040530030101ff300d06092a864886f70d01010405000382010100a54059
6be4be3e4c1a42236ec961fabf5ea71b6ad48fd5c6f0f1cb60c7
        EAP-Message = 
0x78a0b551427e9d73386e7b5ec34edebfd504a7a9b5c30eef6e6c3c732354740aa89c5cf589
8b5fc2b723cc32834126a58ca1bb7520f9e2a146aa46b6d2980f7074ee59a7f57319ae0b44c0
8245932dfaed720822cd2747f3180ab626c28987afd080e390b25f8164e15097620b8dc5af80
ee86787ce210f0f701c09728566b4868dea95fcb61821c29e16ae263fc6a5c574116cb7e57b0
abdf0bff7c5026dd183d614381a14938ab5de04457f5cf81f013d6f9e52d6f91ee06478648c1
0f582b9d5c5967f1bb71af9a426ad6acc2c34336d3ec1408a661b65a2f663c13779a66f2fa70
16030100740d00006c020102006700653063310b300906035504
        EAP-Message = 0x0613025553311530130603550408130c5065
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcc9afa493d131a50d1bf517ed40e0737
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.0.1:1201, id=74, 
length=143
        User-Name = "a at b.com"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00-0f-3d-3f-49-92"
        Calling-Station-Id = "00-0e-35-60-27-1f"
        NAS-Identifier = "HomeAP"
        Framed-MTU = 1380
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020400061900
        State = 0xcc9afa493d131a50d1bf517ed40e0737
        Message-Authenticator = 0x0eb760f998c50210fc167006eee7f998
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: Looking up realm "b.com" for User-Name = "a at b.com"
    rlm_realm: No such realm "b.com"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 75
  modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 74 to 192.168.0.1:1201
        EAP-Message = 
0x0105005319006e6e73796c76616e69613112301006035504071309576f7263657374657231
153013060355040a130c4944205761746368646f6773311230100603550403130954726f6f70
657243410e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3fca0516a58c89388b91b9034e7dc9e1
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.0.1:1201, id=75, 
length=154
        User-Name = "a at b.com"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00-0f-3d-3f-49-92"
        Calling-Station-Id = "00-0e-35-60-27-1f"
        NAS-Identifier = "HomeAP"
        Framed-MTU = 1380
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020500111980000000071503010002022e
        State = 0x3fca0516a58c89388b91b9034e7dc9e1
        Message-Authenticator = 0xa9b53c8c1965bd60d705858db58305a2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: Looking up realm "b.com" for User-Name = "a at b.com"
    rlm_realm: No such realm "b.com"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: EAP packet type response id 5 length 17
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 75
  modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal 
certificate_unknown
TLS Alert read:fatal:certificate unknown
    TLS_accept:failed in SSLv3 read client certificate A
15219:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert 
certificate unknown:s3_pkt.c:1052:SSL alert number 46
15219:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake 
failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 4
modcall: group authenticate returns reject for request 4
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 75 to 192.168.0.1:1201
        EAP-Message = 0x04050004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 72 with timestamp 43fcc0c6
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 73 with timestamp 43fcc0c7
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 74 with timestamp 43fcc0c8
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 75 with timestamp 43fcc0c9
Nothing to do.  Sleeping until we see a request.

> 
> > I noted this
> > 
> http://www.opensubscriber.com/message/freeradius-users@lists.freeradiu
> > s.org/ 1873393.html but was unable to figure out where the DEFAULT 
> > EAP-TLS-Require-Client-Cert := Yes should be set.
> 
>   In the "users" file.
Log file above from failed authentication with this line in users file.  I
created all certs and the CA in OpenSSL.  Authentication works fine without
the requirement for the client cert, but adding the client causes the TLS
handshake to fail.  This line occurs even in successful authentications
without the client cert:
"failed in SSLv3 read client certificate A"

I appreciate your help, thanks.
> 
>   Alan DeKok.




More information about the Freeradius-Users mailing list